The injections are made for Italian, Spanish, German, French and English-speaking users

Jun 27, 2013 22:51 GMT  ·  By

HTML injections are not uncommon for pieces of malware designed to trick users into handing over their personal and financial information. However, a new variant of the Citadel Trojan goes the extra mile.

According to researchers from Trusteer, the authors of the new sample have customized the HTML injections for specific countries.

For instance, if the user of an infected computer visits Amazon.fr, the malware injects a phishing page that’s written in French. Distinct HTML injections have been developed for Italian, Spanish, German, British, Canadian, Australian and American targets.

Interestingly, the bogus warning messages which say that “suspicious activity” has been detected (see screenshot) aren’t the only ones that are based on the localization script. Text, input fields and drop-down menus are also customized.

HTML injection in multiple languages has been spotted before, but this is the first time when malware developers have taken the time to customize the injections for a large number of social networks, banks and major e-commerce sites.

“The sophistication of the malware combined with the low profile maintained by the criminal gang suggests that this is the work of a highly sophisticated cybercrime team,” Trusteer’s Etay Maor wrote in a blog post.

“The use of a single variant that is capable of targeting multiple international brands provides a significant advantage in the monetizing process that follows. The malware not only collects login credentials, it also captures credit card data that can be sold separately to other criminals.”

The fact that the injections are localized also helps cybercriminals when it comes to monetizing the loot.

As Maor highlights, it’s easier for a Spanish cybercriminal to cash out on Spanish accounts than it would be on US accounts.