Citadel malware targets localized brands and users
Malware variant can modify localized versions of social networks, banks and e-commerce sites when accessed from infected computers
IDG News Service - A new variant of the Citadel financial malware uses in-browser injection techniques combined with extensive content localization to steal log-in credentials and credit card information from users in different countries, according to researchers from security vendor Trusteer.
Citadel has the ability to modify or replace websites opened by users on infected computers. This is known as a man-in-the-browser attack and is frequently used by financial Trojan programs to trick users into exposing their log-in details and other sensitive information.
The new Citadel variant targets users of social networks, banks and major e-commerce sites, including Amazon and its local versions in France, Spain, Italy and Germany, the Trusteer researchers said in a blog post.
International as well as local brands are targeted, said Etay Maor, fraud prevention manager at Trusteer, Thursday via email.
When the targeted websites are accessed from computers infected with the new Citadel variant, the malware replaces them with rogue versions that claim users' accounts were blocked because of suspicious activity. The victims are then asked to input their personal and credit card information in order to confirm that they are the legitimate owners of the accounts and proceed to unlock them.
This particular social engineering technique has been used for years in phishing attacks. However, unlike in traditional phishing, when websites are modified locally by Citadel or similar malware, the URLs displayed in the browser's address bar are those of the legitimate websites.
The use of localized HTML injections by financial malware is not new, but the extra effort put into this new Citadel variant to make the rogue content believable makes it stand out, Maor said.
The particular variant uses some interesting technical tricks to create the injection screens, Maor said. For example, it includes customized drop down menus and requests for information generated in local languages, he said.
These implementation aspects, the operating team's behavior and the botnet's command-and-control structure point to a detail-oriented and professional operation, Maor said.
Based on data collected and analyzed by Trusteer, the company's researchers estimate that several thousands of computers have been infected with this new Citadel variant so far.
Earlier this month Microsoft said that it worked with the FBI and other technology industry partners to disrupt more than 1,400 botnets based on the Citadel malware. The company estimated at the time that those botnets were responsible for more than $500,000 million in losses to people and businesses around the world.
Microsoft's effort disrupted the operation of many Citadel botnets, but anyone with a Citadel builder -- an application used to build customized versions of the Trojan program -- can create a new variant and start a new operation of his own, Maor said. "We actually see new Citadel botnets in play."
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!