Typically cybercriminals use the Citadel Trojan to execute online banking and financial fraud, but according to researchers at Trusteer the malware is being used to steal the VPN login credentials of airport employees to access internal airport applications.
In order to steal the desired information, the Citadel Trojan uses a combination of form grabbing and screen capture technologies in a multi-phase attack:
- Form grabbing is used to steal the username and password entered into the login screen.
- The one-time passcode generated by a strong authenticated product is obtained via desktop screenshots.
“This is a clever use of form grabbing and screen grabbing techniques by attackers.” Trusteer’s Amit Klein wrote, “It also demonstrates how enterprises that rely on strong authentication approaches are still at risk from targeted attacks if they lack cybercrime prevention security on endpoint devices. “
Trusteer notified airport officials following the discovery of the attack, and remote employee access to the VPN site was immediately disabled as a precaution. Relevant government agencies and the vendor of the authentication product used by the airport have also been notified.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.