• United States



Senior Editor

US warns users of new Citadel ransomware hit

May 31, 20124 mins
CybercrimeData and Information SecurityIntel

The nasty Trojan known as Citadel malware, which is based on Zeus, has typically been used to extort money from online banking users, but a new variant is making the rounds that tries to get your money by saying you looked at child porn sites and must pay a violation fee to the U.S. Department of Justice.

This variation, called Reveton, lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer, says the U.S. Internet Crime Complaint Center (IC3). Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The crimeware declares the user’s IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content.

IN THE NEWS: Is RIM ruined?A

MORE: FBI finds scammers impersonating the FBI now one of worst online threats

“To unlock their computer the user is instructed to pay a $100 fine to the [DOJ], using prepaid money card services. The geographic location of the user’s IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud. Below is a screenshot of the warning screen. This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do not follow payment instructions,” the IC3 stated.

In February, the IDG News Service wrote that Citadel would evolve and spread rapidly because its creators adopted an open-source development model.

Citadel is based on Zeus, one of the oldest and most popular online banking Trojans. Zeus was abandoned by its creator in late 2010 and its source code leaked online a few months later, IDG wrote. Since its public release, the Zeus source code has served as base for the development other Trojans, including Ice IX and now Citadel. Cyberthreat management firm Seculert said it had identified more than 20 botnets that use different versions of this Trojan. “Each version added new modules and features, some of which were submitted by the Citadel customers themselves,” the company said. The most interesting aspect of Citadel is its development process, which is similar to the ones behind community-supported open source projects, Seculert said.

Like its parent, Citadel is sold as a crimeware toolkit on the underground market. The toolkit lets fraudsters customize the Trojan according to their needs and command and control infrastructure. However, the Citadel authors went even further and developed an online platform where customers can request features, report bugs and even contribute modules, the IDG story stated.

Such extortion schemes are all the rage, it seems. The IC3 recently said it had received several complaints regarding an escort website — though it did not name the site — that said the site stole their identities and photographs were posted on the site along with slanderous and inaccurate comments about them. The victims then received extortion-type emails from subjects offering to help remove the information from the website for a fee. This scam is extremely detrimental to victims on a personal and professional level. Some victims reported their marriages and reputations have been damaged, the IC3 stated.

The website disclaimer states individuals named on this website provided their information freely to verify and confirm their identity for the purpose of making arrangements to meet and spend time with a paid companion. The website also states they are located outside the United States and Europe, and they do not have to respond to any subpoena from these countries, the IC3 stated.

Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.

Read more about wide area network in Network World’s Wide Area Network section.