Trusteer has uncovered a Man in the Browser attack directed at VPN users at an international airport hub.

The hackers have used the trojan to steal airport employee credentials, with which they can then access internal airport applications. Having VPN access allowed the hackers to get into the system and tamper with any information and applications that particular employee is authorized to use.

The Citadel Trojan attack got the credentials through a combination of form grabbing and screen capture and was able to procure a username, password and one-time passcode from the airport’s authentication vendor.

With form grabbing, the attackers were able to steal the username and password. Through screen capture, the attackers could take a snapshot of the image created by the strong authentication product. Although the strong authentication tool can prevent attacks by a form grabber, the screen capture method allows the attacker to use the permutation of digits and one-time code to reproduce the static password.

Trusteer notes that these attacks are normally focused on financial services to conduct online banking fraud; however, they are being launched on other industries, making security and protection increasingly important to all businesses.