A month after the GameOver ZeuS sting, another bank fraud group's operations has been disrupted by an international collaboration of security firms and law enforcement agencies. The new target is Shylock, a Trojan that has stolen from banks in the U.S., Italy, and especially the United Kingdom.
Today the U.K.'s National Crime Agency (NCA) announced that it has seized Shylock operators' command-and-control servers and taken control of the domains they use to communicate. The effort was led by NCA, and included the FBI, the European Cybercrime Centre at Europol, GCHQ, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, the German Federal Police, and others in Italy, Turkey, France, Poland, and the Netherlands.
“The NCA is coordinating an international response to a cyber crime threat to businesses and individuals around the world," said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit, in a statement. "This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber crime impacting the UK."
“The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure," said Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, in a statement. "EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts. In this way we have been able to support frontline cyber investigators."
Shylock, first discovered in 2011, is so named after the character Shylock in Shakespeare's "The Merchant of Venice," because the malware's code contains lines from the play. In March, Dell SecureWorkds named Shylock one of the Top Banking Botnets of 2013, citing that it was responsible for 7% of the banking malware it detected (behind only GameOver ZeuS, Citadel, and other variants of ZeuS).
Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years. Over 60,000 infections were detected in the past year. Shylock spreads through a wide variety of vectors, including phishing messages, "malvertising," malicious PDFs, drive-by downloads, fake browser updates, removable media devices, Skype instant messages, and man-in-the-browser attacks. It uses several exploit kits, including Blackhole, Cool, Magnitude, Nuclear, and Styx.
According to Symantec, Shylock uses a technique termed automated-transaction-service (ATS), which can automatically send a logged-in user's credentials to the attacker and initiate fraudulent transactions in the background. It can hide its tracks by modifying account balances and transaction records or adjusting percentages and values of funds to evade fraud detection logic.
It's proven itself capable of defeating banks' two-factor authentication. In some cases, the attackers posed as bank representatives, opening chat windows to talk to customers and directly request all the account information needed to transfer money from the customer's account to another one held by the criminals. They even distract users, if necessary, by popping up phony security alerts.
According to NCA, "Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere."
Symantec estimates that the UK is Shylock's largest target by far, claiming about 30% of the attackers' efforts over the past year. Why? As Symantec explains:
Despite high infection numbers, the attackers have maintained a very narrow geographical focus. The UK is by far its largest target. The country has a large banking customer base, a high online banking adoption rate, and a high number of wealthy citizens. The UK also has a relatively small number of banks relative to its size. Since the attackers have to tailor the malware to perform attacks on individual banks, this makes the UK market doubly attractive.
Shylock is probably owned and operated by one group of malicious actors based in Eastern Europe, and may be offered as a service to other criminal groups, according to Jason Milletary, technical director for malware analysis on the Dell SecureWorks' Counter Threat Unit (CTU) research team that worked on this project. This model is quite similar to that of GOZeuS, and quite unlike malware like BlackShades, which is sold on the black market to anyone for about $40 a pop.
As Symantec describes it:
The Shylock gang is a professional organization which appears to operate out of Eastern Europe. The platform is almost certainly developed in Russia and the developers appear to work a typical nine to five day, from Monday to Friday, indicating that this is a full-time operation. The vast majority of binary compilations occurred on weekdays.
This effort to bring down Shylock is similar to the GOZeuS sting, not only because it's an international, public-private collaboration, but also because it aims at the criminal infrastrustructure rather than the malware or the criminals themselves.
When the GOZeuS sting was announced, law enforcement estimated that they could keep the malicious actors disrupted for roughly two weeks, expecting that it would take the bad guys about that long to set up new infrastructure. NCA has not released an estimate of how long they expect the Shylock operators to be out of commission.
That depends upon how motivated the criminals are, says Milletary. "The initial downtime might not be that long," he says, "but once you've started, you've got the process in place to continue to fight back. The groundwork has already been laid for a more significant disruption."
Milletary believes that "we'll continue to see these kinds of efforts going forward," because security companies will see value in collaborating not only with law enforcement but with their own competitors.
"A rising tide floats all boats," he says. "[Working together is] better for all our clients and the Internet in general."