Facebook users unknowingly infected with Citadel are delivered a pop-up asking for a $1 donation to a children’s charity when they log into their Facebook account. It’s a worthwhile, humanitarian cause and the requested amount is small; so it’s actually a compelling request. But then, says Trusteer, “it asks users to fill in their credit card details,” so that the donation can be collected.
It’s a sophisticated attack. Trusteer notes five different language versions, with each version tailored not just to the language, but also the culture. The English version asks for money for Haitian orphans. “When you give to HPC,” it says, “99%... goes directly to programs that serve the poorest child in Haiti.” It gains credence from a genuine ‘HPC Children and Youth Ministry’ page on Facebook.
“In the Italian-language version of [the] attack,” writes Trusteer, “the criminals exploit the ‘Red Balloon’ campaign that was created to fight child mortality in Italy.” There’s actually a bug in the injection code for the Spanish version, so it returns the English language text – but it’s designed to exploit a Spanish nutrition program for infants and children. The German version seeks money for ChildFund Deutschland; and the Dutch version seeks support for Save The Children.
In all cases the user is then asked for his or her bank card details. “Using children’s charities as a scam makes this attack believable and effective,” warns Trusteer. “Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale.”