The frequency of online banking fraud incidents has increased over the last years. A method used by different cybercriminals is the injection of malicious code into the targeted web pages. For example, attackers might inject an additional piece code into the webpage of a targeted bank asking users to enter extra personal information (e.g., the PIN of the card). By comparing attack instances of web injected code attacks from different malware families an answer will given on how cyber criminals evolve the code of financial malware that is been used in injected code attacks against financial institutions. The contribution of this thesis is to verify the current literature of the existence of code re-use among different code instances using different code similarity tools and to explore how and why the code is evolved.