Citadel trojan targeting major international airport hub

The airport has been advised and the VPN-based remote access by employees disabled – and the fact that it has now been disabled for a week indicates that the airport authorities are taking the matter very seriously.

The attack combines form grabbing and screen capture “to steal the victim’s username, password, and the one-time passcode generated by a strong authentication product,” reports Trusteer’s CTO Amit Klein. (Trusteer has also notified the authentication provider of this new threat.) This strong authentication provides either dual-channel (a PIN delivered by SMS or separate mobile device) or single channel methods, selectable by the user. It is the latter option that is attacked. It combines the user’s static password with a system-generated 10 digit CAPTCHA to produce a one-time password for the session.

But Citadel’s form grabbing gets the static part, and its screen capture grabs the second part. “This is a clever use of form grabbing and screen grabbing techniques by attackers,” says Klein. “It also demonstrates how enterprises that rely on strong authentication approaches are still at risk from targeted attacks if they lack cybercrime prevention security on endpoint devices.”

MitB malware is usually financially motivated. Its most common purpose is to steal bank credentials rather than VPN credentials. Infosecurity asked Trusteer for its thoughts on the motivation for this attack. “The technology is MitB – however the motivation is not necessarily financial,” said Oren Kedem, director of product marketing. He listed a range of possible targets, including access to the air traffic control system, and building infrastructure plans. Other possibilities are staff related. “To get a list of employees in specific airport departments, in order to find potential accomplices to criminal endeavors,” he said. Or to get details on staff hiring policies or add a fake employee to the payroll.

In short, he told Infosecurity, the motivation could be any one of the primary criminal motivations: hacktivism (there are many environmental activists opposed to airports in general); fraud (via access to the payroll); drug trafficking (by finding loopholes in the airport’s physical security) – or terrorism. It is that last possibility that will be worrying the authorities – the potential combination of terrorists and criminals for hire.

What’s Hot on Infosecurity Magazine?