• United States



Contributing writer

Latest Citadel scam sophisticated — except for grammar

Jul 26, 20123 mins
PrivacySocial Engineering

Pitch to scam people out of their credit card information via fake charity come-ons targeted but poor English a giveaway

Perhaps one good way to avoid Internet scams is to remember the grammar your teachers taught you in grade school. Some scammers apparently have only a passing acquaintance with English.

Yet another configuration of the Citadel malware, discovered this week by security vendor Trusteer, is targeting Facebook users with a fake request for donations to children’s charities in order to steal credit card data.

[Also read Social engineering: The basics | How to rob a bank: A social engineering walkthrough]

Trusteer CTO Amit Klein notes in a blog post that this scam is a bit unusual in that the malware is not only configured to deliver web-injection pages in five different languages — English, Italian, Spanish, German and Dutch — but it doesn’t use the same text for every language. Instead, each attack is customized based on the victim’s country and/or region.

But if the English language version is any indication, anybody who bothers to read the appeal carefully will know it is not coming from a credible source. The pitch mangles the language several times.

One sentence says the money will go to programs that “serve the poorest child in Haiti.” Another says, “We work currently with two orphanages and elementary school, we are seeking donations.” And: “All you give, they’ll be much appreciated.”

Still George Tubin, senior security strategist for Trusteer, said the scam is effective because it preys on the sympathies of people, telling them of children who “desperately” need their help. It also tries to trick victims by using the names of real, credible charities.

In the English version, the scam claims that the money will go to impoverished Haitian children. The Italian-language version claims it is for the “Red Balloon” campaign, created to fight child mortality in Italy.

[See also: Fraud prevention – Improving internal controls]

Amit Klein’s post said Trusteer discovered a bug in the injection code of the Spanish version, which makes it default to English. But the pitch claims it is for a well-known Spanish nutrition program for infants and children.

The German version says donations will be going to ChildFund, and the Dutch version claims the donations will benefit Save the Children.

It is also accessible to those of any income level — it asks for only a dollar. But, of course, the real goal is to get credit card information. Victims who click on the pop up are asked to fill out a form that asks for their name, card number, expiration date, CVV code, and security password.

The scammers promise, “We treat personal information with the utmost respect for your privacy.”

George Tubin said Trusteer discovers attacks by monitoring cybercriminal chat rooms, and also by malware that their security software notices and blocks. He said those who see the pop-up have computers that have been infected by the Citadel malware.

“Even if you don’t fall for this scam, it is still active on your machine, and the group that controls it can launch another attack anytime,” he said.

Clearly, those victimized need to have their machines scrubbed of the malware. “There are a lot of anti-malware products out there — some of them are free and a lot of them cost money,” Tubin said. “We are among those who have a product that will remove it and also block it.”

Tubin said there is no way to tell how many have fallen for the scam, or where it is coming from. “Cybercriminals have a lot of ways of covering their tracks,” he said. “But we think it is probably from somewhere in Europe.”