Citadel Trojan Variant Targets Amazon Customers
Operation executed by U.S law enforcement and Microsoft a few weeks ago led to the destruction of approximately 1,400 Citadel botnets. Unfortunately, a large number of illegal forums still provide the builders of Citadel Trojan for free. As a result, the virus is still remaining a major threat.
The new sub-type of virus appeared in the last few weeks. Now the trojan attacks not only financial institutions or banks but also e-commerce websites and social networks. The virus is activated when the infected device reaches target site, for example Amazon. Then a fake log-on page shows up which looks completely the same as the real one. Furthermore, the corrupt page is adapted to the region the user is located, thus making the whole scam looking legitimate.
Etay Maor, who works for Trusteer and is an expert of Citadel Trojan, told that he is unpleasantly surprised by the amount of sheer effort criminals have put in the virus code to make it geographically specific.
It is thought that trojan itself reaches the computers thorough drive-by downloads. The goal of the virus is to collect credentials or other private data for instance credit card information. The team which is responsible for these crimes is successfully keeping its profile low. Furthermore, little is known about the exact handling of the gathered data although it is thought that the information might be sold to third parties.
Maor stated that the criminals have created databases for each region, which makes him think that the information is more likely to be sold rather than used by the same team behind this project. The fact that the data is grouped according to regions makes it even more valuable. Maor gave an example that if criminals from Germany wanted to use the American credentials they would need another partner who knew the American rules, but now they can buy data specific for their region and act completely on their own. Maor also noticed that the number of Citadel Trojans distributed are not huge, but it is still significant, although the market for this specific malware has expanded as it is now attacking e-commerce websites in addition to the banks and financial institutions. This group also established a good defense for their databases, furthermore, they managed to make the virus hard to research. According to Maor we can’t call them ordinary hackers as they improved the virus greatly and use sophisticated strategies to achieve their goals.
The trojan deceives the user by using a fake web page which, for example, claim that the personal Amazon account was blocked due to some suspicious activity, so users should be alerted if they log into Amazon and a never before seen computer screen appears. Then users have to re-enter their passwords and credit card details and while the data is being collected by the trojan. The false injections look authentic as there are no grammar mistakes and the logos look like the real ones.
Maor stated that although the operation carried out by Microsoft and law enforcement organizations was important and successful it did not solve the problem. Even though more than 1,000 botnets were destroyed, there are sources where anyone could obtain builders for the Citadel and create a new virus. Maor concluded that the criminals behind the current project took a hit, but the virus itself was not eliminated and remains a serious threat, because despite the actions which resulted in a large amount of botnets being taken down the Citadel Trojan and other trojans remain profitable.