CYBERSPACE – A new variant of the Citadel malware designed to steal login credentials from clients of payment platform Payza and its subsidiary AlertPay has been discovered “in the wild.” Both platforms are employed by adult affiliate programs, websites and traffic networks.

In a Thursday blog post, the security team at Trusteer described the Citadel variant as a classic “Man in the Browser” attack.

“The Citadel code adds the ‘Pin’ field to the Payza login page,” Trusteer’s Etay Maor wrote in the post. “The Payza transaction pin is used every time a user wants to send funds, add funds, withdraw funds or make a payment. By obtaining the victim’s email, password and pin number, a cybercriminal can take over the account and commit fraudulent transactions.”

According to Maor, the malware targets two URLs: secure.Payza.com/login and AlertPay.com.

Once thought to be in decline, Citadel-based attacks have shown renewed vigor this year, according to a February report [PDF] from antivirus firm McAfee. Researchers say variants of the malware have branched out from their original purpose of bank fraud and now also aim at other businesses and government agencies. McAfee’s report indicates Citadel attacks are particularly prevalent in Poland, Denmark and Sweden.

The new Payza- and AlertPay-directed variant is especially noteworthy because it attacks smaller payment platforms that specialize in underserved, developing markets. Payza’s network includes offices in Dhaka, Bangladesh, Solna and Mumbai, for example. Smaller targets often are eschewed by cybercriminals because larger, wealthier areas typically produce a greater return on investment in less time. Researchers pointed out, though, that attacks on smaller markets and platforms often go undetected longer, thereby exposing more users to infection.