Just when you thought that you had made it safely away from Wirelurker and successfully sidestepped Masque Attack, there is another piece of malware that wants to part you from your carefully stored personal data.
But this time the sneaky bugger isn’t after just any password, it’s after the mother of all passwords: the secret phrase that you use to access your password vault (if you use one). For though slightly confused, a password vault programme is an application that stores all your passwords to a variety of websites and login service. The principle is that you can use super-obscure, completely random passwords for websites without worrying about having to remember them. All you need is one memorable but secure password for your vault.
The danger is that if hackers were to gain access to that, they will virtually own your life.
According to research from data-protection company IBM Trusteer, there is a configuration file in the Citadel trojan that hackers altered so that it starts up a keylogger when open source password managers Password Safe or KeePass is executed.
Dana Tamir, director of enterprise security for IBM Trusteer, explained that while there is a relatively low risk of attack now, the better the hackers get at refining the intrusive piece of technology, the more prevalent attacks can be in the future.
“Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,” she told Ars Technica.
Tamir also warned that the Citadel Trojan is very dangerous and can make its way past most malware or antivirus detection applications.
“It is important to note that Citadel is highly evasive and can bypass most threat detection security systems. It can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action. This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them,” she explained in a blog post.
She added that even though the two open source password managers have come under attack, password managers in general are still better than just having a few passwords that gets rotated by users to access different sites.
If you do use a password vault (and we highly recommend you do) there is a way to combat keyloggers: turn on two factor authentication if possible. Both of the open source managers listed above have two-factor plugins, and most of the commercial alternatives (like LastPass) also support it.
[Source – Ars Technica, image – Shutterstock]