A Citadel malware variant is capable of delivering fraudulent web pages automatically customized to the language of each market and brand targeted.
While not the first use of HTML injection in multiple languages, the authors of this Citadel variant have taken the time to customize the HTML injections for multiple brands in multiple languages, said researchers at Trusteer.
The targets of this variant include social networks, banks, and major ecommerce sites, including Amazon.com. The Citadel authors created HTML injection scripts for Italian, Spanish, French and German targets as well as British, Canadian, Australian and American versions of each brand.
Once a device suffers infection, Citadel displays an injection screen the next time the victim visits the targeted website. The localized injection ends up created based on a predefined template that changes based on the targeted URL.
The use of a single variant that is capable of targeting multiple international brands provides a significant advantage toward monetizing the attack, researchers said. The malware not only collects login credentials, it also captures credit card data attackers can sell to other criminals.