If you say so it must be true, or maybe not?
In this case, a Citadel (18.104.22.168) infection asks for credentials after visiting some well known websites like Facebook, MSN or even Gmail.
The process is as follows:
After the infection, it starts monitoring the user’s browsing looking for URLs within the config file of the trojan.
In that moment, it injects some HTML extra code altering the look and feel of the web page showing a message to lure the user into thinking he has to introduce a number of personal and banking information in order to confirm his identity.
If the victim fulfill the form, the data will be sent to a server controlled by the fraudsters to their own profit.
The injection used is quite generic as it is almost the same for the different providers. It also seems that the Amazon one is in english for all countries as seen in the above screenshot, and the one from Netflix is some kind misplaced:
As a final notice, just remember these kind of trojans are sometimes difficult to spot for an average computer user as they remains hidden and silently capturing data, so a clear sign of infection are such web page modifications showed in this post. In case of doubt, contact with the bank or service provider before enter any personal data.