According to Trusteer researchers, this new Citadel malware variant uses HTML injection to present the option to “make a donation” once a user logs into their Facebook account on an infected machine.
Instead of giving the same stale sales pitch for every language, the malware switches up the charity fund depending the user’s country & language settings, focusing on English, Italian, Spanish, German, & Dutch.
English Citadel Malware Attack: Donate to Benefit Kids in Haiti
In the English version of the attack, upon logging into their Facebook account, users are presented with a dialog box asking that they help “serve the poorest child in Haiti” by making a donation:
You can save a life with only $1. When you give to HPC, 99% of every dollar “cash plush gifts-in-kind” goes directly to programs that serve the poorest child in Haiti. We work currently with two orphanages and elementary school, we are seeking donations. Please donate and help us spread the word to your friends, families, etc. Click to donate to make a difference! All you give, they’ll be much appreciated. We appreciate your interest and hope that you will open your hearts and donate to better the lives and futures of those in need. If you have any questions before you donate please do not hesitate to contact us. We treat personal information with the utmost respect for your privacy. Click the button above. Thank you.
Clicking the ‘Continue’ button will bring up a second page with all of the necessary fields to hand your credit card information over to the scammers.
Unfortunately for anyone that falls for this scam, it’s highly unlikely that they’ll actually use any of the money they steal from you to make a donation to a charity.
Trusteer researchers did not say how they came across this specific build of Citadel malware, but previous versions of Citadel have been spread via drive-by-downloads.
To minimize their chances of having their system infected, users are advised to keep their operating system and third-party software up-to-date, run antivirus software (keep those virus definitions current!) and remain vigilant when browsing the web or checking email.
Check Trusteer’s blog for additional information on the Italian, German, Dutch and Spanish versions of this attack.