News

Europol takes action against Shylock banking malware

The seizure of servers and domains used by the account-emptying Trojan left it substantially disabled, but not quite dead: It still poses a threat to customers of FIs in the UK, the US and other nations.

July 10, 2014

This week, an alliance of law enforcement and industry entities took measures to disrupt the system used by the Shylock banking Trojan. Authorities seized servers that comprised the command and control system for the malware and also took control of domains Shylock used for communication between infected computers.

The operation was coordinated by the U.K. National Crime Agency and included members of Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, and the U.K. Government Communications Headquarters.

Shylock, which was named for the moneylender in Shakespeare's "The Merchant of Venice," and whose code contains excerpts from the play, has infected at least 30,000 computers running Microsoft Windows worldwide.

Intelligence suggests that the Trojan has been most active in the U.K., though the U.S., Italy and Turkey have also been targeted hard by the malicious code. The developers are believed to be based elsewhere.

Victims typically are infected by clicking on malicious links, and then downloading the malware. Once installed, Shylock will seek to access funds held in business or personal bank accounts and transfer them to the criminal controllers. This type of operation often culminates in a cash-out at ATMs.

Though Europol actions disrupted the transmission of Shylock, they did not entirely eradicate the Trojan and future take-downs could be required. Nevertheless, Andy Archibald, deputy director of the NCA's National Cyber Crime Unit in the U.K. said:

This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime.