Categories: SecurityWorkspace

Rising Threat: Cyber Bank Heists With Citadel’s Man-in-the-Browser

Banks make opportune targets for cyber criminals. As with a traditional robbery, the rewards are high, and recent attacks such as that against Barclays in North London show ‘cyber-robbery’ trends have no sign of abating. One specific threat is on the rise – “Man-in-the Browser”.

These stealthy pieces of malware install a Trojan horse onto a victim’s computer that is capable of not only stealing usernames and passwords, but also injects arbitrary content into their computer. The banking sector is particularly prone, and the malware is used to steal usernames, passwords and PIN codes, and also modify websites in order to social engineer and steal additional credentials.

Man-in-the-Browser waiting for you…

The threat is nothing new, in fact the Citadel malware itself has been around since early 2012. However, it has been showing a new lease of life since April 2013. Arbor’s Security Engineering and Response team (ASERT), has logged 4,000+ unique Citadel executables in their malware sandbox networks, and it is continuing to gather pace.

In June 2013, Microsoft launched Operation b54 to disrupt hundreds of Citadel botnets. Even after it took down more than 1,400 botnets, the malware is alive and well and is being used by distinct threat actors to target various countries and their associated financial sectors. As one of the main banking Trojan’s, it is important for the financial sector to be aware of the dangers of this botnet and its ability to affect global economic operations.

So how does the attack work? The attack manifests by first infecting a user’s machine, which could happen through phishing, via an exploit kit or by drive by download, which is when a download happens without a person’s knowledge. Once the user’s machine is infected, the malware calls out to its command and control operator for new commands. The command and control operator will generate commands about how to access the banking sites and record user information, which will trigger the Man-in-the-Browser attack.

There are four key reasons as to why businesses need to care about this botnet:

  1. The Citadel botnet is very persuasive and in many cases, it could be a user’s work issued computing device that has become infected. Although the Citadel malware has been around since early 2012, it is based – around 75 percent the same – on another banking malware called Zeus which was first identified in middle 2007. There also isn’t just one single Citadel botnet; there are several copies, run by different threat actors, targeting different financial services and countries.

  1. Users often check personal accounts at work or on company issued devices, which can communicate between the botnet and its command and control, introducing it into the work environment and bypassing perimeter security controls.

  1. It is also a common fact that many people reuse passwords, regardless of company policies that state the dangers of this. Because of this, it is possible that a user will have the same credentials to access their bank accounts and their work devices, which can provide an attacker with legitimate credentials to access an employee’s confidential information.

  1. Citadel is just an example of banking target malware. Man-in-the-Browser attacks can be customised for many different types of applications or browsers, such as retail sites, government applications and manufacturing applications.

IT security teams, especially within the financial sector, need to stay on top of this threat and ensure policies are in place to mitigate the growing threat. These include regular password updates for work devices and appropriate security software. By preparing staff and educating them on the processes to ensure the security of both their own data and the organisation’s data, IT managers can work with employees to protect their networks.

Dennis Schwarz is research analyst at ASERT, Arbor Networks

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

13 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

15 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

17 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

17 hours ago