Attacks/Breaches
7/10/2014
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Global Law Enforcement, Security Firms Team Up, Take Down Shylock

A la GOZeuS, an international, public-private collaboration seizes a banking Trojan's command and control servers.

A month after the GameOver ZeuS sting, another bank fraud group's operations has been disrupted by an international collaboration of security firms and law enforcement agencies. The new target is Shylock, a Trojan that has stolen from banks in the U.S., Italy, and especially the United Kingdom.

Today the U.K.'s National Crime Agency (NCA) announced that it has seized Shylock operators' command-and-control servers and taken control of the domains they use to communicate. The effort was led by NCA, and included  the FBI, the European Cybercrime Centre at Europol, GCHQ, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, the German Federal Police, and others in Italy, Turkey, France, Poland, and the Netherlands.

“The NCA is coordinating an international response to a cyber crime threat to businesses and individuals around the world," said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit, in a statement. "This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber crime impacting the UK."

“The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure," said Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, in a statement. "EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts. In this way we have been able to support frontline cyber investigators."

Shylock, first discovered in 2011, is so named after the character Shylock in Shakespeare's "The Merchant of Venice," because the malware's code contains lines from the play. In March, Dell SecureWorkds named Shylock one of the Top Banking Botnets of 2013, citing that it was responsible for 7% of the banking malware it detected (behind only GameOver ZeuS, Citadel, and other variants of ZeuS).

Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years. Over 60,000 infections were detected in the past year. Shylock spreads through a wide variety of vectors, including phishing messages, "malvertising," malicious PDFs, drive-by downloads, fake browser updates, removable media devices, Skype instant messages, and man-in-the-browser attacks. It uses several exploit kits, including Blackhole, Cool, Magnitude, Nuclear, and Styx.

According to Symantec, Shylock uses a technique termed automated-transaction-service (ATS), which can automatically send a logged-in user's credentials to the attacker and initiate fraudulent transactions in the background. It can hide its tracks by modifying account balances and transaction records or adjusting percentages and values of funds to evade fraud detection logic.

It's proven itself capable of defeating banks' two-factor authentication. In some cases, the attackers posed as bank representatives, opening chat windows to talk to customers and directly request all the account information needed to transfer money from the customer's account to another one held by the criminals. They even distract users, if necessary, by popping up phony security alerts.

According to NCA, "Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere."

Symantec estimates that the UK is Shylock's largest target by far, claiming about 30% of the attackers' efforts over the past year. Why? As Symantec explains:

Despite high infection numbers, the attackers have maintained a very narrow geographical focus. The UK is by far its largest target. The country has a large banking customer base, a high online banking adoption rate, and a high number of wealthy citizens. The UK also has a relatively small number of banks relative to its size. Since the attackers have to tailor the malware to perform attacks on individual banks, this makes the UK market doubly attractive.

Shylock is probably owned and operated by one group of malicious actors based in Eastern Europe, and may be offered as a service to other criminal groups, according to Jason Milletary, technical director for malware analysis on the Dell SecureWorks' Counter Threat Unit (CTU) research team that worked on this project. This model is quite similar to that of GOZeuS, and quite unlike malware like BlackShades, which is sold on the black market to anyone for about $40 a pop.

As Symantec describes it:

The Shylock gang is a professional organization which appears to operate out of Eastern Europe. The platform is almost certainly developed in Russia and the developers appear to work a typical nine to five day, from Monday to Friday, indicating that this is a full-time operation.  The vast majority of binary compilations occurred on weekdays.

This effort to bring down Shylock is similar to the GOZeuS sting, not only because it's an international, public-private collaboration, but also because it aims at the criminal infrastrustructure rather than the malware or the criminals themselves.

When the GOZeuS sting was announced, law enforcement estimated that they could keep the malicious actors disrupted for roughly two weeks, expecting that it would take the bad guys about that long to set up new infrastructure. NCA has not released an estimate of how long they expect the Shylock operators to be out of commission.

That depends upon how motivated the criminals are, says Milletary. "The initial downtime might not be that long," he says, "but once you've started, you've got the process in place to continue to fight back. The groundwork has already been laid for a more significant disruption."

Milletary believes that "we'll continue to see these kinds of efforts going forward," because security companies will see value in collaborating not only with law enforcement but with their own competitors.

"A rising tide floats all boats," he says. "[Working together is] better for all our clients and the Internet in general."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:56:56 AM
Re: takedown season
It does seen counterintuitive. But I wonder if it's just a stopgap measure until they rebuild a more sophisticated infrastructure again. The only sure thing is they are making money and they will keep coming back from the dead after each disruption op.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/15/2014 | 9:43:33 AM
Re: takedown season
@Kelly  I know, right? It's been exhausting.  I find the latest GOZeus news interesting, because although there's some kind of resurgence, they've made the attack less sophisticated than it was before... I don't know what that means, but I think it must mean something.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:08:24 PM
takedown season
Lots of takedowns happening lately, which is progress. But then there's that problem of re-invention and resurgence. Even so, the more pressure on the bad guys from more sources, the better.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8243
Published: 2014-11-01
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote a...

CVE-2014-8244
Published: 2014-11-01
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote a...

CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.