Pin It

Citadel Trojan: What You Need To Know

Payza’s CTO, Ali Nizameddine, discusses how to protect your Payza account and all your personal information from hackers and cyber-criminals

Earlier this week, Eyal Maor of Trusteer posted an article reporting the discovery of a variant of the Citadel Trojan specifically targeting Payza users. Citadel is different from a typical phishing scam because in this case, the identity thieves attempt to collect your information by altering Payza’s actual login page. Maor explains:

The Citadel code adds the “Pin” field to the Payza login page. The Payza transaction pin is used every time a user wants to send funds, add funds, withdraw funds or make a payment. By obtaining the victim’s email, password and pin number, a cybercriminal can take over the account and commit fraudulent transactions.

Citadel is not infecting Payza or the Payza website. Citadel works by attacking individual computers and changing the information users should be seeing on certain websites. This means that when you visit Payza’s legitimate login page, the Citadel script is triggered so instead of seeing this:

Payza Login Screen

You would see this:

Payza Login Screen InfectedNotice that the “Pin” field has been added. This should be a clear sign that something is wrong, Payza would never ask for your Password and your Transaction PIN on the same page. The purpose of the Transaction PIN is to provide an added level security beyond your password, having Payza members enter both of these secure identifiers on the same page would defeat the purpose of a secure PIN. If you come across a screen that asks for all your secure Payza information in one place, you should immediately file a report through the Payza Security Center so that our experts can investigate the situation.

While Maor points out that this could be a real concern for public computers, which are especially susceptible to malicious software such as Citadel. Maor explains, “Public computers are typically at higher risk for malware infections and when used by an unsuspecting user, the chances of a successful fraudulent transfer are much higher.” It is because of this that Payza already has security checks in place to monitor user logins from public computers and to block accounts when suspicious activity is detected.

Helpful advice from Payza’s Chief Technological Officer Ali Nizameddine

We sat down with Ali to discuss the Citadel malware and to get his advice about protecting yourself online.

Q. What is the Citadel Trojan and how does it affect the computers it attacks?

Citadel has many applications but it mainly targets financial and e-commerce sites. It works by infecting a user’s computer and then waiting for them to browse one of their target sites. In this case, if you used an infected computer and tried to go to Payza’s login page, Citadel would spring into action and replace the regular Payza login screen with a phishing screen meant to capture your information. Citadel can actually change the content of a web page as well as transmit any collected information back to the attacker.

Q. What are some other sites that have been targeted by Citadel?

Citadel is known to have affected the websites of many different banking and financial institutions. In one case, Citadel was used to trick people into believing their computer had been locked by the U.S. Department of Justice and instructed them to pay a fee to unlock it.

Q. How does Citadel affect Payza’s website?

Actually it doesn’t, Payza’s website itself isn’t affected by Citadel. The virus actually changes the code within the infected computer in order to collect and send someone’s personal information to the attacker.

Q. What is Payza doing to combat Citadel?

Unfortunately we can’t control the spread of the malware, however, we do have measures in place to track whether a member’s account has been compromised and we are able to block these accounts and reverse the suspicious transactions. As with any phishing attack the member has to do their part as well to protect their information, but Payza has sophisticated screening methods in place to minimize or negate the damage of these attacks.

Q. How can I tell if my computer is infected and how can I prevent infection?

Always keep your anti-virus software up to date, it will be able to detect Citadel and other viruses infecting your computer. The best way to avoid infection is to only download software and files from trusted sources. It will be difficult to tell if your computer is infected, keep in mind, there are many sites that could trigger a Citadel script. Normally, Citadel will alter a page and have it ask for more information than usual, but it’s very possible that Citadel could leave a page exactly the same and simply send the information entered back to the attacker.

Q. What should I do if I think I am infected?

If you have come to the Payza login screen and entered your email address, password and Transaction PIN you should contact Customer Support immediately and ask them to reset your password and review your account for suspicious activity. If you think your computer is infected run a virus scan with an updated anti-virus program or consult a technician that can inspect your computer.

For more information on protecting yourself online, please read How to Avoid Cybercrime, also on the Payza blog.