Citadel malware variant uses content localization to target brands and users in different countries

The malware modifies the localized versions of social networks, banks and e-commerce sites when accessed from infected computers

A new variant of the Citadel financial malware uses in-browser injection techniques combined with extensive content localization to steal log-in credentials and credit card information from users in different countries, according to researchers from security vendor Trusteer.

Citadel has the ability to modify or replace websites opened by users on infected computers. This is known as a man-in-the-browser attack and is frequently used by financial Trojan programs to trick users into exposing their log-in details and other sensitive information.

The new Citadel variant targets users of social networks, banks and major e-commerce sites, including Amazon and its local versions in France, Spain, Italy and Germany, the Trusteer researchers said in a blog post.

International as well as local brands are targeted, said Etay Maor, fraud prevention manager at Trusteer, Thursday via email.

When the targeted websites are accessed from computers infected with the new Citadel variant, the malware replaces them with rogue versions that claim users' accounts were blocked because of suspicious activity. The victims are then asked to input their personal and credit card information in order to confirm that they are the legitimate owners of the accounts and proceed to unlock them.

This particular social engineering technique has been used for years in phishing attacks. However, unlike in traditional phishing, when websites are modified locally by Citadel or similar malware, the URLs displayed in the browser's address bar are those of the legitimate websites.

The use of localized HTML injections by financial malware is not new, but the extra effort put into this new Citadel variant to make the rogue content believable makes it stand out, Maor said.

The particular variant uses some interesting technical tricks to create the injection screens, Maor said. For example, it includes customized drop down menus and requests for information generated in local languages, he said.

These implementation aspects, the operating team's behavior and the botnet's command-and-control structure point to a detail-oriented and professional operation, Maor said.

Based on data collected and analyzed by Trusteer, the company's researchers estimate that several thousands of computers have been infected with this new Citadel variant so far.

Earlier this month Microsoft said that it worked with the FBI and other technology industry partners to disrupt more than 1,400 botnets based on the Citadel malware. The company estimated at the time that those botnets were responsible for more than US$500,000 million in losses to people and businesses around the world.

Microsoft's effort disrupted the operation of many Citadel botnets, but anyone with a Citadel builder -- an application used to build customized versions of the Trojan program -- can create a new variant and start a new operation of his own, Maor said. "We actually see new Citadel botnets in play."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Trusteersecuritymalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?