Citadel malware variant uses content localization to target brands and users in different countries

The malware modifies the localized versions of social networks, banks and e-commerce sites when accessed from infected computers

A new variant of the Citadel financial malware uses in-browser injection techniques combined with extensive content localization to steal log-in credentials and credit card information from users in different countries, according to researchers from security vendor Trusteer.

Citadel has the ability to modify or replace websites opened by users on infected computers. This is known as a man-in-the-browser attack and is frequently used by financial Trojan programs to trick users into exposing their log-in details and other sensitive information.

The new Citadel variant targets users of social networks, banks and major e-commerce sites, including Amazon and its local versions in France, Spain, Italy and Germany, the Trusteer researchers said in a blog post.

International as well as local brands are targeted, said Etay Maor, fraud prevention manager at Trusteer, Thursday via email.

When the targeted websites are accessed from computers infected with the new Citadel variant, the malware replaces them with rogue versions that claim users' accounts were blocked because of suspicious activity. The victims are then asked to input their personal and credit card information in order to confirm that they are the legitimate owners of the accounts and proceed to unlock them.

This particular social engineering technique has been used for years in phishing attacks. However, unlike in traditional phishing, when websites are modified locally by Citadel or similar malware, the URLs displayed in the browser's address bar are those of the legitimate websites.

The use of localized HTML injections by financial malware is not new, but the extra effort put into this new Citadel variant to make the rogue content believable makes it stand out, Maor said.

The particular variant uses some interesting technical tricks to create the injection screens, Maor said. For example, it includes customized drop down menus and requests for information generated in local languages, he said.

These implementation aspects, the operating team's behavior and the botnet's command-and-control structure point to a detail-oriented and professional operation, Maor said.

Based on data collected and analyzed by Trusteer, the company's researchers estimate that several thousands of computers have been infected with this new Citadel variant so far.

Earlier this month Microsoft said that it worked with the FBI and other technology industry partners to disrupt more than 1,400 botnets based on the Citadel malware. The company estimated at the time that those botnets were responsible for more than US$500,000 million in losses to people and businesses around the world.

Microsoft's effort disrupted the operation of many Citadel botnets, but anyone with a Citadel builder -- an application used to build customized versions of the Trojan program -- can create a new variant and start a new operation of his own, Maor said. "We actually see new Citadel botnets in play."

Join the CSO newsletter!

Error: Please check your email address.

Tags Trusteersecuritymalwarefraud

More about Amazon Web ServicesCitadelFBIMicrosoftTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place