Security researchers have discovered a new variant of the Citadel malware that injects itself into your Facebook webpages and demands that you make a donation to a fake charity for sick children. Please be warned: there are no children charities that will ask you for a donation via Facebook. There are, however, individuals very interested in stealing your credit card number and other personal information (note: this is not the first time Facebook users are specifically being targeted, and it certainly won't be the last).
Once your computer is infected with the malware, it quickly adds itself into your Facebook session, as you can see above. After you log into your Facebook account, the Citadel injection mechanism displays a pop up that encourages you to donate $1 to children who "desperately" need humanitarian aid. Next, it asks you for your name, credit card number, expiration date, CVV, and security password.
What makes this attack particularly sophisticated is that the malware is configured to use different scam text depending on your country and language, according to Trusteer. The scammers use domains such as hopeforthepoorchildren.org, fundcauses.com, lwbspain.blogspot.ca, and childfund.de to push the scam in at least five different languages: English, Italian, Spanish, German, and Dutch.
The English version of attack asks you to make a $1 donation for Haitian children living in poverty. Here's the text in question (please note that the scammers can change the scam's wording as they please):
You can save a life with only $1. When you give to HPC, 99% of every dollar "cash plus gifts-in-kind" goes directly to programs that serve the poorest child in Haiti. We work currently with two orphanages and elementary school, we are seeking donations. Please donate and help us spread the word to your friends, families, etc. Click to donate to make a difference! All you give, they'll be much appreciated. We appreciate your interest and hope that you will open your hearts and donate to better the lives and futures of those in need. If you have any questions before you donate please do not hesitate to contact us. We treat personal information with the utmost respect for your privacy. Click the button above. Thank you.
The Italian version exploits the Red Balloon campaign that was created to fight child mortality in Italy. The criminals claim that the campaign has already collected more than 1 million euros for sick children and point out that more than 7 million children die from basic illnesses each year. Here's the text in question (again, the scammers can change the scam's wording as they please):
Gonfia un palloncino rosso e salva la vita di un bambino con Save the Children! NOTA: Il palloncino rosso di Save the Children, simbolo della lotta alla mortalità infantile non si è mai fermato e con la campagna Every One sono stati già raccolti più di un milione di euro. Ogni anno, nel mondo, più di 7 milioni di bambini muoiono per cause facilmente curabili: continua a sostenere i progetti di Save the Children per salvarli!
Trusteer found that the Spanish version had a bug in the injection code which defaults to the English version of the text. The fraudsters' intention was to exploit a well-known Spanish nutrition program for infants and children, which collects donations as well as purchases, and then sends pictures of the children to donors. A bit of searching on Google leads me to believe that this is the Spanish text that you're supposed to see:
Estos pequeños, puestos en fila para la foto, son parte de nuestro programa de nutrición en Jiangmen, Provincia de Guangdong. El programa empezó en el 2011 cuando un padre adoptante llamó nuestra atención sobre las necesidad de estos niños de tener leche enriquecida. Nuestro programa es tan pequeño como nuevo, pero servimos a unos 10 bebés y niños. Mandamos un cargamento de leche trimestralmente y recibimos nuevas fotos de los niños a cambio. Con el aumento del precio de la leche, se ha vuelto mas y mas duro mantener los biberones llenos! Puedes marcar la diferencia en la vida de un niño con una donación mensual de 20 euros, o con una donación puntual de cualquier cantidad. Los donantes recibirán fotos y actualizaciones trimestrales.
The German version urges you to make a donation to ChildFund. Here's the text in question (the scammers can change the scam's wording as they please):
Einmalig oder regelmäßig – jeder Beitrag hilft. Mit jedem noch so kleinen Betrag unterstützen Sie unser gemeinsames Anliegen, hilfsbedürftigen Kindern und ihren Familien eine Zukunft zu schenken, die sie ohne unsere Hilfe nicht hätten. Ihre Spende dauert nur wenige Minuten und zahlt sich für Kinder in Not um ein Vielfaches aus. Helfen Sie mit! Spenden Sie Hoffnung. Weil jeder Tag zählt! Für Ihr Engagement bedanken wir uns schon jetzt sehr herzlich.
The Dutch version asks you for a donation to Save the Children. The following text was not reposted anywhere online, leading me to believe that this one has already been changed by the cybercriminals to something else:
Save the Children zet zich al 90 jaar in om kinderlevens te redden, hun dromen te verwezelijken en hun toekomst een kans te geven. We redden kinderlevens, vechten voor hun rechten en helpen kinderen groeien. Zo redden we de dromen en de toekomst van kinderen. Steun ons eenmalig 1 eur
This attack is a massive undertaking. The cybercriminals behind this scam are likely very well organized and have been pushing very hard to spread it on Facebook. If you've discovered that you are affected by this attack, use an antivirus program (such as Microsoft Security Essentials) to clean your system before using the social network again.
"This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective," a Trusteer spokesperson said in a statement. "Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."
As a general word of caution, don't hand over any of your credentials via Facebook unless you are absolutely certain that it's coming from the social network. While there are some services that ask for your credit card, that will be on there official Facebook Page, not in a random popup spamming you to donate. If you want to warn Facebook about this scam, feel free to contact Facebook Security.