14 DAY TRIAL // The group behind the Shylock/Caphaw banking Trojan showed their business prowess for the full duration of the operation, by carefully selecting their market, protecting the asset from authorities through detection evasion tactics, and optimizing it for a higher rate of success.
This week, the U.K. National Crime Agency coordinated an international effort to take control of the domains used for communication with the machines infected by the banking malware. Among the partners in the operation are both law enforcement organizations and security companies in the private sector.
According to Symantec, the cybercriminal gang was organized with professional discipline, as they believe that the developers had a typical nine to five work schedule, from Monday to Friday.
This conclusion was also supported by evidence that most binary compilations occurred on weekdays.
By observing the activity of the malware, which started as early as July 2011, the security researchers managed to create a profile of the group running it.
The cybercriminals are believed to be located in Russia or Eastern Europe and they focused on the financial institutions in the U.K., which, besides having a large online banking customer base, also has numerous wealthy citizens.
“Symantec estimates that the gang behind Shylock has stolen several million dollars from victims over the past three years and over 60,000 infections were detected in the past year,” says a blog post from the company.
Over its lifecycle, Shylock went through numerous modifications that allowed it to continue its activity and bypass the security measures taken against it.
Also, thanks to its modular design, the malware developers were able to modify its functionality, as well as increase its complexity.
One of the most important aspects is the fact that the cybercrime gang did not share the malicious tool with others and kept it under their control at all time. As such, with no code leaked on underground forums, they were able to maintain a low-profile and keep the spoils to themselves.
Symantec notes that they started low and perfected the malware in time, to the point that the advanced man-in-the-browser technique was implemented for performing fraudulent transactions.
“Attackers gain control of the victim’s browser by exploiting security vulnerabilities to modify the web pages displayed to the victim. Shylock is also capable of defeating two-factor authentication security mechanisms employed as counter measures at some of these banks,” says Symantec.
Another technique used by Shylock is automated-transaction-service (ATS); this is designed to run transactions in the background when the user is logged in, and lure them through social engineering techniques to authorize the fraudulent activity.
By logging into the online bank account from a Shylock-infected machine, the credentials are sent both to the bank and to the cybercriminals.
The attackers assume control of the account, but if a second authorization is required for transferring funds, such as that with a physical token, they cannot steal the money.
One social engineering tactic is to pop-up a dialog informing the user that security checks need to be performed to ensure the safety of online banking access. At the end of the process, the victim is prompted to enter the authorization code, an action also purported to be part of the verification process.
However, the crooks have already set up the fraudulent transaction and the code is all they need to execute it.
By Symantec telemetry, most Shylock infections have been detected in the United Kingdom (30%), followed by the U.S. (16%), Italy (11%) and Brazil (7%). It is delivered through exploit kits (researchers detected the use of Blackhole, Cool, Magnitude, Nuclear Pack, and Styx in the past year), but spam is also an attack vector, with messages carrying items posing as important PDF files, while they are actually executables.
Users are advised to run the latest Windows updates in order to prevent Shylock from slipping in or eliminate it if the system is already infected.