Advisory January 12, 2013

Man-in-the-Browser Attacks – Citadel

While the Man-in-the-Browser (MitB) type of attacks have been around for quite some time, the last year has seen a significant increase in amount of money being stolen as well as the “quality” and capabilities of the attack mechanisms. The “EuroGrabber” banking Trojan variant stole almost 47 Million USD from 30,000 accounts across Europe and the latest “Citadel” variants have rolled out capabilities that were previously unheard of, allowing sophisticated targeting and payloads.

Unlike typical attacks which were targeted towards the Financial Institutions e-Banking or Electronic Transactions systems and their security mechanisms, these new Man-in-the-Browser attacks are targeting the unsuspecting e-banking users, and these users are  the weakest link because they are not prepared or knowledgeable about what constitutes a problem and what to do about it.

In a typical MitB attack scenario the user’s workstation becomes infected with a Trojan malware that sits and waits for certain site visits or events to occur before taking action.

The information here should serve as a guide and a way to understand the problem, what is at stake and what can be done to protect electronic transaction (eBanking, shopping…) users.

The King of the Trojans – Citadel

2010 saw an outbreak of the “Zeus” malware and variants. Zeus came out in 2007 and was the “original” Banking Trojan whose intent was to collect sensitive information to be used for performing illegitimate financial transactions. Zeus has gone through many iterations and phases and has been modified to the point that it is available for sale to any interested party. The latest variation of this Trojan is known as Citadel and by reviewing its capabilities, support and planned features can easily be named “The King of the Trojans”. Citadel is currently available for sale in Russian cyber-underground forums for a price of about $4000.

The latest version of Citadel, v1.3.5.1 (“Rain Edition”) has advanced capabilities  and can propagate malware and steal financial information via botnets. It includes a new easy to manage web based user interface tailored to facilitate its use by even novice cyber-criminals.

Citadel has powerful features including:

  • a Control Panel which provides information about all infected and managed PC’s
  • the ability perform searches for financial information,
  • the ability to capture information via keystroke logging, screenshot capture or even video capture,
  • the ability for “dynamic configuration” and advanced interaction with the infected machines.

Citadel also introduced the ability to perform dynamic web code injections directly on individual  machines without the need to upload any configuration file to the bot itself.  The injections typically include a “pop-up” which could be preconfigured to be automatically launched based on various parameters or to be manually launched in real-time when extra interaction is required – i.e. to inject a custom script targeting a specific user.

Consequently, when a user visits their Bank’s legitimate website they are provided with a pop-up to input their credentials or One-Time-Password. As soon as the user information is acquired, it can be either stored for post-processing and future use or a non-legitimate financial transaction can be performed immediately. These injected pop-ups are created in such a manner as to integrate seamlessly with each Bank’s e-banking environment and given the capabilities offered by the Trojan, they can trick even the most advanced, knowledgeable and suspicious users (ex. a pop-up to enter your token code is presented as soon as you start typing in respective field of the e-banking site).

The user is never taken to a different site, they remain at all times on their e-Banking URL, within the e-Banking application and the secure padlock with the bank’s SSL certificate is in place and valid.

Given this level of sophistication, the continuous maintenance, innovation and development (there is even a new features request list) that exists within the Citadel Software kit it can be considered as “crime-ware” rather than a simple malware. Moreover, given that the suggested retail price is significant means that the buyers are not in it “for fun” but mean serious business.

What can you do?

Although financial institutions are considered the primary targets, variants of the same “crime-ware” have been recently used to steal Airport users VPN credentials and two-factor authentication tockens as well as credit card numbers from online-shops.

Given the Man-in-the-Browser attacks are targeted towards the user PC’s and workstations, and given that the fraudulent activity takes place within the users Internet browser, the question  of “What can I do?” occurs both for the users/customers as well as for the Financial Institutions themselves that need to demonstrate that they are actively protecting their customers.

General recommendations for end-users to avoid becoming infected include:

  • Maintain an up-to-date and patched Operating System.
  • Maintain an up-to-date version of Java.
  • Do not use old versions of Web Browsers.
  • Use script-blocking extensions in Browsers (i.e. NoScript, NotScript or JavaScript Blocker)
  • Use updated anti-malware protection.
  • Do not visit suspicious websites.
  • Do not follow links from chain e-mails.
  • If something on the internet looks “too good to be true”, it probably is.

After all, the number one method to protect ourselves from this and other types of malware is to be informed.

If however, your workstation actually becomes infected, then you may be looking for indications such as changes in your e-Banking sites behavior  such as the pop-up functionality previously described. If anything appears out of the ordinary, stop any activity and take the time to verify with your bank. Also, routinely monitor your account’s balances and inform your bank immediately about any discrepancies. If your account has been compromised you need inform your Financial Institution and should immediately take appropriate actions to clean or rebuild your PC and change your account credentials from a different known-clean PC.

Financial Institutions face a great deal of difficulty to effectively mitigate risks which occur on the “client side”, since is an environment, they do not control. Any technical solution or control which is applied by the banks on the client side is doomed to eventually be bypassed or overridden.  Further, controls such as validation checks, checksums etc… running on the client side browser environment, may be used only as temporary firefighting / compensatory controls until a robust, permanent solution is put in place.

More permanent solutions

Less than a handful of technical solutions exist which could effectively mitigate Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks. Any type of out-of-band transaction authorization systems (i.e. by sending transaction authorization codes to the user mobile phone)  used to be an effective solution, but these are increasingly being circumvented by Man-in-the-Mobile (MitMo) attacks.

Useful Link