It sounds like an air traveler’s nightmare, Researchers at Trusteer recently uncovered a variant of the Citadel Trojan targeting the virtual private network (VPN) credentials used by employees at a major airport.The firm would not disclose the name of the airport because the situation is being investigated by law enforcement.
Many businesses use VPNs to provide outside workers with access to secure data. Incursions on these networks often involve advanced “Man in the Browser” malware such as the Citadel, Zeus, and SpyEye programs. The man-in-the-browser (MITB) assault first used form-grabbing malware, which steals data entered into web forms before it is passed over the internet, to steal the airport employees' VPN usernames and passwords, Amit Klein, Trusteer's chief technology officer, said in a blog post.
“This was potentially very dangerous, but we don’t know whether the attacker group was targeting the financial system of the airport for economic gain or if the attack was terrorism-related,”
The airport VPN was immediately disconnected after officials there were made aware of the breach and authorities are investigating.
The product that the airport was using to provide strong authentication for employees gave each user two choices: log in with a username and a one-time password that's sent via SMS or a smartphone app; or log in using a CAPTCHA-like image of 10 digits that the user maps to his own static password. The Citadel malware used the screen-capture tactic to defeat this.
"This security measure prevents the form grabber from capturing the actual static password. This is where the screen capturing feature in Citadel kicks in," Klein said.
Trusteer doesn't know who the attackers are and what they are after, but Kedem says they could be trying to gather intelligence on airport security processes, or even the border customs service.He says the attack appears to be very targeted, and the bottom line is that VPN connections are not safe.
In addition to using endpoint cybercrime prevention software, Kedem also advises users to abide by standard practices for preventing infection: avoid opening unknown attachments or clicking links in emails.