14 Aug 2012

Citadel Trojan goes after VPN Login Credentials in International Airport

With more and more e-threats targeting the network infrastructure to mine data passed to and from clients, businesses are moving to virtual private networks as their next line of defense.

The notorious Citadel, an open-source version of Zeus collaboratively maintained by multiple cyber-criminal teams, is now reportedly attempting to breach VPN security by stealing login credentials belonging to employees of a major international airport.

Just like the Zeus Trojan, Citadel features a form grabber – a component that can read information passed to a form in a web page. However, as airport network security relies on a supplementary level of authentication (either single channel or dual channel mechanisms in the form of one-time PIN via SMS and 10-digit CAPTCHA respectively), Citadel is also equipped with a screen capture mechanism.

When users request the single-mode authentication, they are presented with a 10-digit CAPTCHA code they use to map their password to the string of digits in the image. Citadel uses the captured screenshot to create permutations of digits, along with the one-time code stolen by the form grabber, to re-create the static password.

Citadel’s new features show that even the most sophisticated authentication mechanisms can be subverted using the weakest link: infected computers belonging to authorized users.

“This is especially true in the case of unmanaged or BYOD endpoints. Since these devices are exposed to threats that would otherwise be filtered at the enterprise perimeter, they are much more vulnerable to infection from advance malware like Citadel, Zeus, SpyEye, etc.” Trusteer CTO Amit Klein said.

As a rule of thumb, IT departments should demand all users that bring their own devices to work and connect them to the network for any purposes to have an anti-virus security solution installed, as well as to have an up-to-date operating system.