Law enforcement agencies and cybersecurity firms have teamed up in an operation aimed at Shylock, a widely distributed piece of malware used by cybercriminals to steal banking credentials.

The United Kingdom’s National Crime Agency (NCA), the Government Communications Headquarters (GCHQ), the German Federal Police (BKA), the FBI, Europol, Kaspersky Lab, Dell SecureWorks, and BAE Systems Applied Intelligence took part in the operation in which they seized command and control (C&C) servers and domains used by Shylock.

Takedown Bonus: APT Attackers Hurt
Microsoft Seizes Domain Names
London Teen Charged in DDoS Attacks
UT Woman Facing Embezzlement Charges

On Tuesday and Wednesday, the European Cybercrime Centre (EC3) at Europol coordinated the efforts of law enforcement agencies in the UK, the U.S., Italy, the Netherlands, Turkey, Germany, France and Poland. During the operation, several previously unknown components of the Shylock infrastructure ended up identified and taken down, Europol said.

“The European Cybercrime Centre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts,” said Troels Oerting, the head of the EC3.

Schneider Bold

“It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU. It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication. A specific thanks goes to Kaspersky Lab who have contributed significantly to the successful outcome of the operation — and our cooperation continues to grow in this and future cases,” Oerting added.

“Banking fraud campaigns are no longer one-off cases. We’ve seen a significant rise in these kinds of malicious operations,” said Sergey Golovanov, principal security researcher at Kaspersky Lab, which assisted in the takedown. “Just in 2013 the number of cyberattacks involving malware designed to steal financial data increased by 27.6 percent to reach 28.4 million.”

Shylock, also known as Caphaw, has been around since 2011 and it infected at least 30,000 computers, according to Europol. Most of the victims are in the United Kingdom, but infections are also in Turkey, Italy, the United States and Denmark.

Cybercriminals usually distribute the Trojan using spam campaigns and drive-by download attacks. After infecting a device, the threat hooks into Web browser processes and monitors the victim’s activity. When a victim visits a targeted financial website, Shylock injects JavaScript and HTML code into webpages to trick users into handing over their personal details to the attackers. The Trojan can also capture screenshots and records videos.

The “Top Banking Botnets of 2013” report from Dell SecureWorks showed Shylock accounted for 7 percent of all banking malware last year, being topped only by Gameover Zeus, Citadel and Zeus. In September 2013, Zscaler said the financial Trojan targeted the customers of two dozen major banks. More recently, cybercriminals compromised the online magazine AskMen and used it to distribute the Trojan.

“The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world. This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime,” said Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit.

Pin It on Pinterest

Share This