Shylock banking Trojan network targeted UK users

Eastern European-based gang targeted UK banks in fraud that netted millions

The UK was the number-one target of the Shylock banking Trojan and botnet, according to analysis by security software specialist Symantec.

Key servers supporting the Shylock Trojan were taken down earlier this month in an operation led by the National Crime Agency (NCA) - but only after the criminals behind the malware had stolen several millions of pounds from the accounts of compromised PC users.

By focusing on the UK, the Trojan's operators were able to develop their software faster than banks were able to secure against it, according to Symantec.

According to Symantec, the Trojan's operators picked the UK because it has a relatively small number of major banks and the country is relatively wealthy - so they could steal thousands at a time.

The Shylock malware has been included in five different exploit kits over the past year - Blackhole, Cool, Magnitude, Nuclear and Styx - and is distributed via email with spam bearing ".pdf.exe" attachments about invoices or statements.

Perhaps most ominous of all is Symantec's claim that it is capable of circumventing the two-factor authentication regimes used by most banks to overcome the insecurity of passwords.

"Shylock employs a technique termed automated-transaction-service (ATS) which can automatically initiate fraudulent transactions in the background," claims Symantec. "Its capabilities include:

• Grabbing information about user accounts and account balances;
• Performing fraudulent transactions in the background;
• Social engineering attacks to trick the user into authenticating a transaction with a Secure Key;
• Hiding entries in transaction records and modifying balances;
• Adjusting percentages and values of available funds to evade some fraud detection logic.

"When a victim logs into their bank on an infected machine, their credentials are sent to the bank and the attackers. This allows the attackers to assume control of the account and initiate fraudulent transactions.

"In order to distract the user, a number of diversion tactics are used by the attackers. For example, the diversion tactic used against customers of one is a window pretending to perform additional security checks on the computer."

When the Trojan attempts a fraudulent transfer, the malware presents users with a fake message from their bank, before requesting the security code to authorise the fraudulent transfer.

"The Shylock gang is a professional organization which appears to operate out of Eastern Europe. The platform is almost certainly developed in Russia and the developers appear to work a typical nine to five day, from Monday to Friday, indicating that this is a full-time operation. The vast majority of binary compilations occurred on weekdays.

"The gang behind Shylock continuously develop new features, react quickly to online banking countermeasures, and use advanced distribution channels to infect the end user. Shylock is without a doubt a finely tuned and profitable enterprise that has continued to grow in 2014," concluded Symantec.