Shylock Malware Infrastructure Targeted by International Authorities

Law enforcement agencies and cybersecurity firms have teamed up in an operation aimed at Shylock, a widely distributed piece of malware used by cybercriminals to steal banking credentials.

The United Kingdom’s National Crime Agency (NCA), the Government Communications Headquarters (GCHQ), the German Federal Police (BKA), the FBI, Europol, Kaspersky Lab, Dell SecureWorks, and BAE Systems Applied Intelligence have taken part in the operation in which command and control (C&C) servers and domains used by Shylock have been seized.

On Tuesday and Wednesday, the European Cybercrime Centre (EC3) at Europol coordinated the efforts of law enforcement agencies in the UK, the US, Italy, the Netherlands, Turkey, Germany, France and Poland. During the operation, several previously unknown components of the Shylock infrastructure were identified and taken down, Europol said.

“The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts,” noted Troels Oerting, the head of the EC3.

“It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU. It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication. A specific thanks goes to Kaspersky Lab who have contributed significantly to the successful outcome of the operation – and our cooperation continues to grow in this and future cases,” Oerting added.

Shylock, which is also known as Caphaw, has been around since 2011 and it has infected at least 30,000 computers, according to Europol. Most of the victims are located in the United Kingdom, but infections have also been seen in Turkey, Italy, the United States and Denmark.

Cybercriminals usually distribute the Trojan using spam campaigns and drive-by download attacks. After infecting a device, the threat hooks into Web browser processes and monitors the victim’s activity. When a targeted financial website is visited, Shylock injects JavaScript and HTML code into webpages to trick users into handing over their personal details to the attackers. The Trojan can also capture screenshots and records videos.

The “Top Banking Botnets of 2013” report from Dell SecureWorks shows that Shylock accounted for 7% of all banking malware last year, being topped only by Gameover Zeus, Citadel and Zeus. In September 2013, Zscaler reported that the financial Trojan was being used to target the customers of two dozen major banks. More recently, cybercriminals compromised the online magazine AskMen and used it to distribute the Trojan.

“The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world. This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime,” commented Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit.