Citadel Trojan automatically localizes fraud content

Any successful business knows that it cannot rely solely on one market for future growth. Software companies often conduct business in multiple international markets and typically localize products and messaging to each market’s native language. Malware is no different.

A recent Citadel variant discovered by Trusteer is capable of delivering fraudulent web pages that are automatically customized for the language of each market and brand being targeted.

While not the first use of HTML injection in multiple languages, the authors of this Citadel variant have taken the time to customize the HTML injections for multiple brands in multiple languages. The targets of this variant include social networks, banks, and major ecommerce sites, including Amazon.com. The Citadel authors created HTML injection scripts for Italian, Spanish, French and German targets as well as British, Canadian, Australian and American versions of each brand.

Once a device is infected, Citadel displays an injection screen the next time the victim visits the targeted website. The localized injection is created based on a predefined template that changes based on the targeted URL. Here is an example of the fake screen the user would see when accessing the US Amazon website.

Each element (text, input fields, drop down menus etc.) is created based on the localisation script. For example, the heading “Detected suspicious activity. Your account has been blocked” will change to the following when an infected user accesses Amazon’s international sites:

Amazon.fr“On dtecte l’activitmfiante. Votre compte est bloqu.”

Amazon.de“Es wurde die verdchtige Aktivitt bemerkt. Ihr Account wurde gesperrt.”

Amazon.it“Si e’ verificata un attivita’ sospetta. Il Suo account e’ stato bloccato”.

Amazon.es“Se ha detectado actividad maliciosa. Su cuenta ha sido bloqueada”.

The sophistication of the malware combined with the low profile maintained by the criminal gang suggests that this is the work of a highly sophisticated cybercrime team.

The use of a single variant that is capable of targeting multiple international brands provides a significant advantage in the monetising process that follows. The malware not only collects login credentials, it also captures credit card data that can be sold separately to other criminals.

Criminals that buy and sell stolen credentials in the fraud underground generally prefer to deal with region specific credentials. For example, a Spanish criminal will likely find it easier to cash out on Spanish accounts rather than American accounts.

Don't miss