Trusteer researchers recently came across a new version of the Citadel Trojan that automatically customizes the content of fraudulent Web sites for the language of each market and for the specific brand being targeted.

"[T]he authors of this Citadel variant have taken the time to customize the HTML injections for multiple brands in multiple languages," Trusteer's Etay Maor wrote in a blog post. "The targets of this variant include social networks, banks, and major ecommerce sites, including Amazon.com. The Citadel authors created HTML injection scripts for Italian, Spanish, French and German targets as well as British, Canadian, Australian and American versions of each brand."

Once a device is infected, according to Maor, the new variant displays a customized injection screen whenever the victim visits the targeted Web site.


"The sophistication of the malware combined with the low profile maintained by the criminal gang suggests that this is the work of a highly sophisticated cybercrime team," Maor notes. "The use of a single variant that is capable of targeting multiple international brands provides a significant advantage in the monetizing process that follows."