Like most profitable criminal enterprises, the Shylock banking malware thrived because it was supported by a nimble infrastructure that allowed it to stay one step ahead of network and security monitoring capabilities, and the authorities.
That race ended this week. Europol announced today that it, along with numerous law enforcement and industry partners had carried out a successful takedown of the Shylock infrastructure. The two-day culmination of the operation took place on Tuesday and Wednesday and was coordinated by the U.K.’s National Crime Agency and supported by Europol, the FBI, GCHQ in the U.K., and industry companies including Kaspersky Lab, BAE Systems Applied Intelligence and Dell SecureWorks.
“Law enforcement agencies took action to disrupt the system which Shylock depends on to operate effectively,” Europol said in a statement. “This comprised the seizure of servers which form the command and control system for the Trojan, as well as taking control of the domains Shylock uses for communication between infected computers.”
Few details were provided on the location of the command and control infrastructure, but Europol said it coordinated investigative actions with cooperation from authorities in Italy, the Netherlands, Turkey, Germany, France and Poland. CERT-EU, Europol said, was also instrumental in providing data on the malicious domains used by Shylock.
No arrests were announced, though Europol said that previously unknown parts of the Shylock infrastructure were uncovered and additional law enforcement action may be upcoming.
“It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU,” Troels Oerting, head of the European Cybercrime Center at Europol. “It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication.”
Major takedowns of botnets and other cybercrime operations are quickly becoming commonplace. Though usually not a permanent solution, takedowns such as this one and the recent Gameover Zeus takedown, which also impacted the Cryptolocker infrastructure, indicate improving cooperation between international law enforcement.
“The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world,” said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit in the U.K. “This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime.”
Shylock, like Zeus, targeted banking credentials. Victims were usually tricked or lured into clicking on a malicious link that infected computers with the Trojan. Shylock surfaced in 2011 and at first was limited to the U.K., but quickly expanded into a global operations concentrating on victims in Europe and the United States. Online banking customers were victimized by Shylock’s man-in-the-browser style attacks against a predetermined list of as many as 60 banks. The Trojan would sniff out banking credentials and loot accounts.
“Banking fraud campaigns are no longer one-off cases. We’ve seen a significant rise in these kinds of malicious operations,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab. “To fight cybercrime, we provide threat intelligence to law enforcement agencies all over the world and cooperate with international organizations such as Europol. Global action brings positive results – an example being the operation targeting Shylock malware.”
Golovanov said in 2013 the number of cyberattacks involving malware designed to steal financial data increased by 27.6 percent to reach 28.4 million.
The attackers behind Shylock were also careful to hide its tracks. Like other similar malware, such as versions of PushDo, Zeus and TDL/TDSS, Shylock made good use of a domain generation algorithm to send stolen data back to the attackers. The DGA feature sidestepped detection and research efforts effectively, experts said.
One version of Shylock that surfaced in January 2013 was capable of spreading through Skype, in addition to network shares and even removable USB drives. Ultimately, Shylock could also steal browser cookies, use web injects on infected browsers and download and execute files on compromised machines.
This article was updated at 12:15 p.m. ET with comments from Kaspersky Lab.