How Malware Can Con You Into Giving Up Your PIN
NEW YORK (BankingMyWay) — Can websites be “sinister”?
Actually, they can — if they contain a malware virus called the Citadel Trojan, which can lead to identity theft against millions of mobile banking customers.
NBC.com found out the hard way back in February, when its website was attacked with the Trojan virus. Dozens of other mainstream sites have fallen victim to Citadel Trojan as well, and a mobile banking payment site joined the list.
Payza, a New York City-based online payments company, alerted its 10 million members that Trojan has been “targeting Payza users,” as the company puts it in a statement released Friday.
Payza is careful to say that the malware virus doesn’t affect its website, but users can fall victim to Citadel Trojan if they’re not careful.
"This type of malware doesn't affect our technology, our platform or our website," commented Alastair Graham, CEO of Payza. "But obviously we are concerned for any member who might fall prey to this deceptive piece of malware. Anyone can be deceived by this Trojan, whether they are in Mumbai or Dallas, so it's important that we provide proactive information for all our users."
In a blog post advising customers how to thwart the virus, Payza says:
Citadel is different from a typical phishing scam because in this case, the identity thieves attempt to collect your information by altering Payza’s actual login page.
The Citadel code adds the “PIN” field to the Payza login page. The Payza transaction PIN is used every time a user wants to send funds, add funds, withdraw funds or make a payment. By obtaining the victim’s email, password and pin number, a cybercriminal can take over the account and commit fraudulent transactions.
The virus targets individual computers and mobile devices, changing what customers see when they log onto the Payza site. Instead of seeing the familiar log-in page with just an email and password prompt, Citadel Trojan add a “PIN” prompt. When users enter their ID number, cyber thieves can pick it up and use it to break into the consumer’s bank accounts.
Only end users with computers already infected with the Trojan virus are vulnerable; those who see a log-in page with the additional “PIN” prompt should log off, not add their PIN, and contact Payza right away using this link.
"Payza would never ask for you for your password and your transaction PIN on the same page," says Payza's CTO, Ali Nizameddine. "Users who see this false login page should contact Payza Customer Support immediately and ask them to reset their password and review their account for suspicious activity.”
Payza also advises installing an anti-malware software program on their computers and mobile devices — that should help keep Citadel Trojan at bay for good and I/D thieves out of your bank account.
—For more ways to save, spend, invest and borrow, visit MainStreet.com.