Latest Citadel scam sophisticated -- except for grammar

Perhaps one good way to avoid Internet scams is to remember the grammar your teachers taught you in grade school. Some scammers apparently have only a passing acquaintance with English.

Yet another configuration of the Citadel malware, discovered this week by security vendor Trusteer, is targeting Facebook users with a fake request for donations to children's charities in order to steal credit card data.

[Also read Social engineering: The basics | How to rob a bank: A social engineering walkthrough]

Trusteer CTO Amit Klein notes in a blog post that this scam is a bit unusual in that the malware is not only configured to deliver web-injection pages in five different languages -- English, Italian, Spanish, German and Dutch -- but it doesn't use the same text for every language. Instead, each attack is customized based on the victim's country and/or region.

But if the English language version is any indication, anybody who bothers to read the appeal carefully will know it is not coming from a credible source. The pitch mangles the language several times.

One sentence says the money will go to programs that "serve the poorest child in Haiti." Another says, "We work currently with two orphanages and elementary school, we are seeking donations." And: "All you give, they'll be much appreciated."

Still George Tubin, senior security strategist for Trusteer, said the scam is effective because it preys on the sympathies of people, telling them of children who "desperately" need their help. It also tries to trick victims by using the names of real, credible charities.

In the English version, the scam claims that the money will go to impoverished Haitian children. The Italian-language version claims it is for the "Red Balloon" campaign, created to fight child mortality in Italy.

[See also: Fraud prevention - Improving internal controls]

Amit Klein's post said Trusteer discovered a bug in the injection code of the Spanish version, which makes it default to English. But the pitch claims it is for a well-known Spanish nutrition program for infants and children.

The German version says donations will be going to ChildFund, and the Dutch version claims the donations will benefit Save the Children.

It is also accessible to those of any income level -- it asks for only a dollar. But, of course, the real goal is to get credit card information. Victims who click on the pop up are asked to fill out a form that asks for their name, card number, expiration date, CVV code, and security password.

The scammers promise, "We treat personal information with the utmost respect for your privacy."

George Tubin said Trusteer discovers attacks by monitoring cybercriminal chat rooms, and also by malware that their security software notices and blocks. He said those who see the pop-up have computers that have been infected by the Citadel malware.

"Even if you don't fall for this scam, it is still active on your machine, and the group that controls it can launch another attack anytime," he said.

Clearly, those victimized need to have their machines scrubbed of the malware. "There are a lot of anti-malware products out there -- some of them are free and a lot of them cost money," Tubin said. "We are among those who have a product that will remove it and also block it."

Tubin said there is no way to tell how many have fallen for the scam, or where it is coming from. "Cybercriminals have a lot of ways of covering their tracks," he said. "But we think it is probably from somewhere in Europe."

Read more about social engineering in CSOonline's Social Engineering section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place