Snippet: The king of financial malware, Zeus, has many variants and one particular variant, the Citadel trojan, continues to pose a significant global threat, despite the rumors of its withdrawal from the crimeware market.

The king of financial malware, Zeus, has many variants and one particular variant, the Citadel trojan, continues to pose a significant global threat, despite the rumors of its withdrawal from the crimeware market. According to McAfee Labs research, Citadel’s original developers, and perhaps others, are developing new variants that significantly extend Citadel’s functionality and threat profile.

The Citadel trojan is a powerful toolkit criminals use to distribute malware and manage infected computers through bots. This allows them to access online accounts and perform fraudulent transactions by using victims’ captured login IDs and passwords.

First detected in 2011, Citadel’s sophisticated control panel helps cyber criminals launch malware campaigns that specifically target financial institutions. It can harvest login credentials using a variety of means, including key logging, screen captures and video capture, and then send the results back to a central server controlled by the fraudsters.

According to malware researchers, Citadel was the first trojan to have a browser injection that launches fake pop-ups during online banking transactions. The strategy, dubbed WebInject, has proven effective in manipulating users to re-enter account logins and passwords because it happens in real time. All the reassuring signs that customers have been educated to check for in order to avoid man-in-the-middle attacks are also still present: the correct bank URL, the trusted green https://, the correct banking certificate and company information.

The Citadel trojan also includes DNS redirection, which was not part of the original Zeus malware. The aim of this redirection is to prevent an infected computer from contacting a large number of antivirus providers and security scanning services, inhibiting attempts to disinfect the computer.

With all these new developments, how can financial institutions hope to defeat the Citadel malware? Leveraging a true out-of-band authentication solution is the key. When an online banking customer performs a high-risk transaction, an authentication request, together with the transaction details, is sent to their mobile device via a second communication channel established directly between the bank and the registered mobile device. If a fraudster initiates a transaction using stolen credentials, the customer will receive a real-time authentication request and can simply reject it, leaving the fraudster powerless.

Subscribe to our blog.


Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.