nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Citadel Trojan phishes its way into petrochem firm's webmail

Middle Eastern webmail servers popped

By Darren Pauli, 17 Sep 2014

Trusteer researchers are saying that the victims of the latest round of Citadel trojan infections includes one of the largest petrochemical companies in the world.

The attacks, like so many others, targeted critical infrastructure organisations using phishing campaigns to steal network credentials.

Researcher Dana Tamir said the attackers targeted webmail URLs to infect staff.

"To steal login credentials that provide access to the company's webmail system, the malware looks for URLs like 'http://mail.target-company.com' which would be the login URL of the webmail system," Tamir said.

"When the user submits the login credentials, the malware grabs the username, password and any other information that is submitted during the login process."

POST-grabbing mayhem ensued when Citadel intercepted requests sent to the server prior to encryption and shipped it off to corporate crims.

Citadel is one of many malware instances created and maintained by groups of criminals operating on underground websites. It is regularly updated and even offers a support system - complete with trouble tickets - for customers who bought licenses.



Massive distributed malware chart

UK top of the popped. Trusteer.


Similar malware has been used to pop important utilities from families including Shylock, Zeus and SpyEye. Typical features included keystroke and screen capture, HTML injection and remote command line execution

More advanced web nasties include mechanisms to distinguish between true victim machines and those used by malware researchers.

Tamir dubbed the Citadel attack and others like it a "massively distributed malware" attack which aimed to infect as many machines as possible over email, drive-by downloads or watering hole attacks.

Britain topped the charts as a favourite target of "massive" advanced malware attacks with about 27,000 machines popped. Saudi Arabia, Chile and the USA closely followed.

Trusteer said one in 500 machines are infected as part of these massive attacks and have found such advanced malware in "practically every customer environment" in which its engineers have set foot. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing