Fraudsters are upping the ante in their pursuit of payment data by creating spoofed sites that look so real they even include localized language settings and drop-down menus to dupe consumers into turning over credentials.

The latest fraud attack is a globalized version of the Citadel Trojan, which detects the country of the victim who is trying to access Amazon.com or a bank—and presents the consumer with fake web pages in their local language, along with options to "localize" the attack even more. This data makes the stolen information more valuable.

"These guys are not amateurs. They knew what they were doing, you could see it in the malware," says Etay Maor, a senior product marketing manager for Trusteer, a Web security company. "It looked real. When it targeted Spanish users, it asked the user which city they lived in, and gave a drop-down menu with cities in Spain. It went into small detail to make sure it looked believable."

The attackers use an HTML injection to get consumers to give the fraudsters more information than they should at a bank or an e-commerce site, Maor says.

HTML, or HyperText Markup Language, is used to create Web pages and is part of thousands of bank and retail payments sites. The Citadel Trojan uses HTML as a redirect to steal payment account information from consumers. Amazon.com did not return requests for comment by deadline.

In this case, the HTML injections are customized for multiple brands in multiple languages, Maor says. Scripts exist for Italian, Spanish, French, German, British, Canadian, Australian and American versions of each brand.

Once the consumer's device is infected, Citadel displays a fake screen the next time the consumer visits the targeted site. The fake screens are based on a predefined template, Maor says.

The new Citadel Trojan follows up on another attack that used fake pop-up boxes on legitimate websites that request security information for MasterCard or Visa.

"With all of the data that is going through an electronic commerce transaction, it was a matter of time before we saw this. It was very clever that they adjusted it for the location based on language," says Al Pascual, a senior analyst at Javelin Strategy & Research.

The use of a single variant that is capable of targeting multiple international brands provides a significant advantage in cashing out the stolen payments data, Maor says. The malware not only collects login credentials, it also captures credit card data that can be sold separately to other criminals. 

"Most fraudsters don't try to steal localized credentials, because it's hard to obtain those types of credentials," Maor says. "But when you sell these localized credentials in the underground markets, it goes for a lot more. If I'm an Italian fraudster, I want Italian victims. It's easier than having to cash out on a victim in Japan."

The initial Citadel strain has been shut down, but other fraudsters will likely use its tools to create similar attacks, Maor.

"It will pop up in a different form," Maor says. "The attack can reproduce with a reconfigured file."

The Citadel attack is difficult for spoofed companies to combat because it is local to the victim's computer, Maor says.

"The fake screens are only seen by the criminal and the users…the banks don't see the screen, so [enterprise] fraud detection systems don't pick that up," says Avivah Litan, a security specialist for Gartner Research. "What matters here is the use of language. The users are getting better at targeting the attacks. And the more targeted the attack, the more success they will have."

The crooks' sophistication is limited, as the new attack is designed to victimize only traditional channels such as a desktop or laptop computer. "It's not designed to redirect SMS Text or one-time-passwords, so it's not going after mobile payments,"  Pascual says.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry