Below is a media alert from Trusteer on a recently discovered configuration of the Citadel malware that targets Facebook users with a fake request for donations to children’s charities to steal credit card data.
The Citadel injection mechanism displays a pop-up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid and asks users to fill in their credit card details. The malware is configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch.
In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customised each attack based on the victim’s country and/or region.
Trusteer recently discovered a configuration of the Citadel malware that targets Facebook users with a a fake request for donations to children’s charities in order to steal credit card data.
After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid. Then, it asks users to fill in their credit card details. The malware is configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch.
In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region.
Here are the web-injections used for each language:
1) English Attack
In the English-language version of attack, users of Facebook are asked to make a $1 donation for Haitian children living in poverty. The scam claims that the donation program is going to help children in orphanages and elementary schools. The scammers lure users into submitting their credit/debit card details by filling out a form which asks for their name, card number, expiration date, CVV, and security password.
2) Italian Attack
In the Italian-language version of attack, the criminals exploit the "Red Balloon" campaign that was created to fight child mortality in Italy. The criminals claim that the campaign has already collected more than one million euros for sick children. They indicate that more than 7 million children die from basic illnesses each year.
3) Spanish Attack
Upon examination of the Spanish attack, we discovered a bug in the injection code which defaults to the English version of the text.
However; the fraudsters' intention with the Spanish-language version of attack was to exploit a well-known Spanish nutrition program for infants and children. The program collects donations, purchases and distributes milk to needy children and sends pictures of them to individuals that gave money.
4) German Attack
In the German-language attack, the fraudsters urge Facebook users to make a donation to ChildFund to help families provide a better future for their children.
5) Dutch Attack
In the Dutch version of the attack, the criminals request victims make a donation to Save the Children, an organization that has been working for 90 years to help save children's lives, fight for their rights and improve their quality of life.
“This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users”, said Trusteer’s CTO Amit Klein. “Using children’s charities as a scam makes this attack believable and effective. Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale.