Rising Threat: Cyber Bank Heists With Citadel’s Man-in-the-Browser

Man-in-the-Browser attacks are only getting more frequent, thanks to the Citadel botnet and numerous other threats, says Dennis Schwarz

Banks make opportune targets for cyber criminals. As with a traditional robbery, the rewards are high, and recent attacks such as that against Barclays in North London show ‘cyber-robbery’ trends have no sign of abating. One specific threat is on the rise – “Man-in-the Browser”.

These stealthy pieces of malware install a Trojan horse onto a victim’s computer that is capable of not only stealing usernames and passwords, but also injects arbitrary content into their computer. The banking sector is particularly prone, and the malware is used to steal usernames, passwords and PIN codes, and also modify websites in order to social engineer and steal additional credentials.

Man-in-the-Browser waiting for you…

Fotolia: Piggy bank with letters spelling oops - investing your savings © Karen Roach #9936465The threat is nothing new, in fact the Citadel malware itself has been around since early 2012. However, it has been showing a new lease of life since April 2013. Arbor’s Security Engineering and Response team (ASERT), has logged 4,000+ unique Citadel executables in their malware sandbox networks, and it is continuing to gather pace.

In June 2013, Microsoft launched Operation b54 to disrupt hundreds of Citadel botnets. Even after it took down more than 1,400 botnets, the malware is alive and well and is being used by distinct threat actors to target various countries and their associated financial sectors. As one of the main banking Trojan’s, it is important for the financial sector to be aware of the dangers of this botnet and its ability to affect global economic operations.

So how does the attack work? The attack manifests by first infecting a user’s machine, which could happen through phishing, via an exploit kit or by drive by download, which is when a download happens without a person’s knowledge. Once the user’s machine is infected, the malware calls out to its command and control operator for new commands. The command and control operator will generate commands about how to access the banking sites and record user information, which will trigger the Man-in-the-Browser attack.

There are four key reasons as to why businesses need to care about this botnet:

  1. The Citadel botnet is very persuasive and in many cases, it could be a user’s work issued computing device that has become infected. Although the Citadel malware has been around since early 2012, it is based – around 75 percent the same – on another banking malware called Zeus which was first identified in middle 2007. There also isn’t just one single Citadel botnet; there are several copies, run by different threat actors, targeting different financial services and countries.

  1. Users often check personal accounts at work or on company issued devices, which can communicate between the botnet and its command and control, introducing it into the work environment and bypassing perimeter security controls.

  1. It is also a common fact that many people reuse passwords, regardless of company policies that state the dangers of this. Because of this, it is possible that a user will have the same credentials to access their bank accounts and their work devices, which can provide an attacker with legitimate credentials to access an employee’s confidential information.

  1. Citadel is just an example of banking target malware. Man-in-the-Browser attacks can be customised for many different types of applications or browsers, such as retail sites, government applications and manufacturing applications.

IT security teams, especially within the financial sector, need to stay on top of this threat and ensure policies are in place to mitigate the growing threat. These include regular password updates for work devices and appropriate security software. By preparing staff and educating them on the processes to ensure the security of both their own data and the organisation’s data, IT managers can work with employees to protect their networks.

Dennis Schwarz is research analyst at ASERT, Arbor Networks

What do you know about Internet security? Find out with our quiz!