Kaspersky Lab contributes to global effort targeting Shylock malware

Kaspersky Lab has contributed to an alliance of law enforcement and industry to undertake measures against the internet domains and servers that form the core of an advanced cybercriminal infrastructure attacking online banking systems around the globe using the Shylock Trojan.

On 8 and 9 July 2014, law enforcement agencies took action to disrupt the system that Shylock depends on to operate effectively. This comprised the seizure of servers that form the command and control system for the Trojan, as well as taking control of the domains Shylock uses for communication between infected computers.

The operation, coordinated by the UK’s National Crime Agency (NCA), brought together partners from the law enforcement and private sectors, including – besides Kaspersky Lab – Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks and the UK’s GCHQ (Government Communications Headquarters) to jointly combat the threat.

Investigative actions were undertaken from the operational centre at the European Cybercrime Centre (EC3) at Europol in The Hague. Investigators from the UK (NCA), USA (FBI), Italy, the Netherlands and Turkey joined forces to coordinate the operation in their respective countries, in concert with counterparts in Germany, France and Poland. Coordination through Europol was instrumental in taking down the servers that form the core of the botnets, malware and Shylock infrastructure. The CERT-EU (EU Computer Emergency Response Team) participated in the take down and distributed information on the malicious domains to its peers.

During the concerted action several previously unknown parts of the infrastructure were discovered, allowing follow-up actions to be initiated immediately and coordinated from the operational centre in The Hague.

Shylock – so-called because its code contains excerpts from Shakespeare’s The Merchant of Venice – has infected at least 30,000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock targets the UK more than any other country; however, the US, Italy and Turkey are also being targeted by the malicious code. It’s thought that the suspected developers are based elsewhere.

Victims are typically infected by clicking on malicious links, and then persuaded to download and run the malware without their knowing. Shylock then seeks to access funds held in business or personal bank accounts, and transfer them to the criminal controllers.

Troels Oerting, head of EC3 at Europol, said:

“The European Cybercrime Centre (EC3) is very happy with this operation against sophisticated malware, playing a crucial role in the work to take down the criminal infrastructure. EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber-analysts and cyber-experts.

“In this way we’ve been able to support frontline cyber investigators, coordinated by the UK’s NCA, and working with a physical presence of the United States’ FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber-units in Germany, France and Poland.

“It has been a pleasure for me to see international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyberthreats in or outside the EU. It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication. A specific thank you goes to Kaspersky Lab, which has contributed significantly to the successful outcome of the operation – and our cooperation continues to grow in this and future cases.”

Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit in the UK, said:

“The NCA is taking the lead in addressing a cybercrime threat to businesses and individuals around the world. This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime”.

Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, who provided the threat intelligence service and tracked the malware activity within the global operation, commented:

“Banking fraud campaigns are no longer one-off cases. We’ve seen a significant rise in these kinds of malicious operations. Just in 2013 the number of cyberattacks involving malware designed to steal financial data increased by 27.6% to reach 28.4 million. To fight cybercrime, we provide threat intelligence to law enforcement agencies all over the world and cooperate with international organizations such as Europol. Global action brings positive results – an example being the operation targeting Shylock malware.”

Those opting for automated operating system updates – which can ensure computers infected with malware such as Shylock are cleaned automatically following a system restart – need take no action at this time. Those not opting for automatic updates, or who would like to learn more about how to check their Windows-based computers and remove infections, can go to http://support.microsoft.com/gp/cu_sc_virsec_master.

Advice on internet security can be found at Cyber Streetwise and Get Safe Online.

Shylock FAQ

1. What is Shylock

Shylock is a banking Trojan first discovered in 2011. It utilizes man-in-the-browser attacks designed to pilfer banking login credentials from the PC’s of clients of a predetermined list of target organizations. Most of these organizations are banks located in different countries.

2. How do I found out if I’m infected or not?

The best way to check if your computer was infected with Shylock malware or not is to use anti-malware scanning tools that are widely available on the Internet.

3. How to protect against Shylock

In order to protect against Shylock and other banking malware, Kaspersky Lab recommends the following security rules:

• Don’t open email attachments or hyperlinks you receive from an unknown sender. They could contain malware.
• Even if you receive a message with a link or attachment from a friend in a social network or messenger, try to verify the legitimacy of the message via alternative communication channels. Unfortunately, hacked social networks and messengers accounts are often used to spread malware.
• When receiving an email or SMS from your bank, keep in mind that banks never ask to provide them with pin codes or passwords from accounts. It is also useful to remember that banks always use corporate mail domains for customer mailings and never use publicly available email services.
• Try to avoid phishing websites: check whether a site uses a secure connection (https in the beginning of address bar);
• Avoid entering your sensitive data while using a public Wi-Fi network
• Use a reliable security solution

Kaspersky Lab products detect Shylock malware as Backdoor.Win32.Caphaw and Trojan-Spy.Win32.Shylock. In general, Kaspersky Lab recommends using proven security solutions while making payments online. Kaspersky Internet Security Multi-Device, Kaspersky Pure 3.0 and Kaspersky Small Office Security products are equipped with Safe Money – a special technology that reliably protects user data during online banking or payment sessions.