Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Global Law Enforcement, Security Firms Team Up, Take Down Shylock

A la GOZeuS, an international, public-private collaboration seizes a banking Trojan's command and control servers.

A month after the GameOver ZeuS sting, another bank fraud group's operations has been disrupted by an international collaboration of security firms and law enforcement agencies. The new target is Shylock, a Trojan that has stolen from banks in the U.S., Italy, and especially the United Kingdom.

Today the U.K.'s National Crime Agency (NCA) announced that it has seized Shylock operators' command-and-control servers and taken control of the domains they use to communicate. The effort was led by NCA, and included  the FBI, the European Cybercrime Centre at Europol, GCHQ, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, the German Federal Police, and others in Italy, Turkey, France, Poland, and the Netherlands.

“The NCA is coordinating an international response to a cyber crime threat to businesses and individuals around the world," said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit, in a statement. "This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber crime impacting the UK."

“The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure," said Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, in a statement. "EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts. In this way we have been able to support frontline cyber investigators."

Shylock, first discovered in 2011, is so named after the character Shylock in Shakespeare's "The Merchant of Venice," because the malware's code contains lines from the play. In March, Dell SecureWorkds named Shylock one of the Top Banking Botnets of 2013, citing that it was responsible for 7% of the banking malware it detected (behind only GameOver ZeuS, Citadel, and other variants of ZeuS).

Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years. Over 60,000 infections were detected in the past year. Shylock spreads through a wide variety of vectors, including phishing messages, "malvertising," malicious PDFs, drive-by downloads, fake browser updates, removable media devices, Skype instant messages, and man-in-the-browser attacks. It uses several exploit kits, including Blackhole, Cool, Magnitude, Nuclear, and Styx.

According to Symantec, Shylock uses a technique termed automated-transaction-service (ATS), which can automatically send a logged-in user's credentials to the attacker and initiate fraudulent transactions in the background. It can hide its tracks by modifying account balances and transaction records or adjusting percentages and values of funds to evade fraud detection logic.

It's proven itself capable of defeating banks' two-factor authentication. In some cases, the attackers posed as bank representatives, opening chat windows to talk to customers and directly request all the account information needed to transfer money from the customer's account to another one held by the criminals. They even distract users, if necessary, by popping up phony security alerts.

According to NCA, "Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere."

Symantec estimates that the UK is Shylock's largest target by far, claiming about 30% of the attackers' efforts over the past year. Why? As Symantec explains:

Despite high infection numbers, the attackers have maintained a very narrow geographical focus. The UK is by far its largest target. The country has a large banking customer base, a high online banking adoption rate, and a high number of wealthy citizens. The UK also has a relatively small number of banks relative to its size. Since the attackers have to tailor the malware to perform attacks on individual banks, this makes the UK market doubly attractive.

Shylock is probably owned and operated by one group of malicious actors based in Eastern Europe, and may be offered as a service to other criminal groups, according to Jason Milletary, technical director for malware analysis on the Dell SecureWorks' Counter Threat Unit (CTU) research team that worked on this project. This model is quite similar to that of GOZeuS, and quite unlike malware like BlackShades, which is sold on the black market to anyone for about $40 a pop.

As Symantec describes it:

The Shylock gang is a professional organization which appears to operate out of Eastern Europe. The platform is almost certainly developed in Russia and the developers appear to work a typical nine to five day, from Monday to Friday, indicating that this is a full-time operation.  The vast majority of binary compilations occurred on weekdays.

This effort to bring down Shylock is similar to the GOZeuS sting, not only because it's an international, public-private collaboration, but also because it aims at the criminal infrastrustructure rather than the malware or the criminals themselves.

When the GOZeuS sting was announced, law enforcement estimated that they could keep the malicious actors disrupted for roughly two weeks, expecting that it would take the bad guys about that long to set up new infrastructure. NCA has not released an estimate of how long they expect the Shylock operators to be out of commission.

That depends upon how motivated the criminals are, says Milletary. "The initial downtime might not be that long," he says, "but once you've started, you've got the process in place to continue to fight back. The groundwork has already been laid for a more significant disruption."

Milletary believes that "we'll continue to see these kinds of efforts going forward," because security companies will see value in collaborating not only with law enforcement but with their own competitors.

"A rising tide floats all boats," he says. "[Working together is] better for all our clients and the Internet in general."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:56:56 AM
Re: takedown season
It does seen counterintuitive. But I wonder if it's just a stopgap measure until they rebuild a more sophisticated infrastructure again. The only sure thing is they are making money and they will keep coming back from the dead after each disruption op.
Sara Peters
Sara Peters,
User Rank: Author
7/15/2014 | 9:43:33 AM
Re: takedown season
@Kelly  I know, right? It's been exhausting.  I find the latest GOZeus news interesting, because although there's some kind of resurgence, they've made the attack less sophisticated than it was before... I don't know what that means, but I think it must mean something.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:08:24 PM
takedown season
Lots of takedowns happening lately, which is progress. But then there's that problem of re-invention and resurgence. Even so, the more pressure on the bad guys from more sources, the better.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...