Malware goes global, with a local feel

We're all pretty good at spotting a phishing scam, a fake page, a phony form to fill in. KitGuru readers and many internet users are pretty well versed in keeping their PCs secure and not giving anyone their details unless they're a legitimate source – and have good reason to be asking for them. We look out for broken English, strange URLs, poor image quality and a variety of other factors when browsing around. It pays to stay vigilante and keep your online identity as well as the health of your computer, safe.

However, malware makers are catching on to our practices. They know that the days of simple Nigerian banker scams are coming to an end and to get the details of today's tech savvy web user, they're going to have to try a lot harder: and they are.

Enter the new version of the Citadel trojan. Spotted by Trusteer, anti-phishing firm and creator of the Rapport banking software, this new version of Citadel is designed to target people across the world, in all sorts of different countries, but to do that effectively, it's gone local. Citadel now has near-perfect translations of its HTML injection, making it much harder to detect if there's something malicious going on.

This isn't the first time localised versions of malware have been found, but this is a very sophisticated change up, that's designed to catch out social networkers as well as users of big retail websites like Amazon. According to Trusteer, Citadel now has injection scripts in: Spanish, French and German, as well as English variants for Britain, Canada, Australia and America.

“Once a device is infected, Citadel displays an injection screen the next time the victim visits the targeted website. The localised injection is created based on a predefined template that changes based on the targeted URL,” explained Trusteer.

An example of the US localisation of the injection.

Each element of the form is affected by the localisation script. The header image changes, as does the explanation text and each input field on the form, including all drop down menus. 

Trusteer goes on to postulate that due to the sophistication of this malware variant, this is the work of what it describes as a “cybercrime team,” one that is keen to push for monetisation with its malware, not just proliferate it for some sort of technical achievement. Thanks to Citadel's ability to scrub login credentials, it's also capable of taking on credit card information, which in large numbers, can be worth a lot of money. 

Using malware that can target multiple countries, gives the nefarious individuals behind it a much bigger marketplace, since those buying credit card details or accounts that have a decent amount of credit with a company, tend to prefer to buy ones based in their locale to avoid arousing suspicion when utilising the account's resources.

KitGuru Says: So be vigilant people. Just because the English is good and the header image is dead on, doesn't mean it's legitimate  Check the URL, but if you're really not sure, go to the website's main URL and perform your login there.

Become a Patron!