Banking Botnet Gang Shows How Cyber-criminals Specialize for Profit

The takedown has disrupted the botnet, but Shylock's development shows that online thieves can profitably narrow their focus on smaller markets.

A concerted takedown effort led by the United Kingdom's National Crime Agency has disrupted the Shylock botnet, taking down key servers on July 8 and 9.

While the takedown will likely hobble their efforts, the Shylock group's success shows that smaller botnets can still be very profitable, according to security researchers.

The cyber-criminals behind the Shylock botnet focused on infecting users in the United Kingdom and staying abreast of countermeasures implemented by banks, which allowed them to steal millions of dollars, security firm Symantec stated in an analysis of the malware and the group behind it.

The tactics allowed the botnet operators to evolve faster than defenders' efforts to block the online thievery, Kevin Haley, director of Symantec's Security Response group, told eWEEK.

"These guys decided that they are going to really specialize," he said. "They picked a country with a small number of banks, so they could focus on what goes on at those banks, yet [where] the customers were likely to have a good amount of money in their accounts to make it financially worthwhile."

Shylock represents a fairly sophisticated piece of malware, controlling a victim's computer to eavesdrop and modify transaction as a "man in the browser." The botnet—named because its code includes couplets from Shakespeare's The Merchant of Venice—infected some 30,000 Windows computers worldwide.

"Attackers gain control of the victim's browser by exploiting security vulnerabilities to modify the web pages displayed to the victim," Symantec stated in its analysis. "Shylock is also capable of defeating two-factor authentication security mechanisms employed as counter measures at some of these banks."

The Shylock program stole information about banking customers' accounts and balances, could surreptitiously conduct and hide fraudulent transactions, and modified account information in the victim's browser to make theft harder to detect.

Yet, the real sophistication is in the group behind the malware, who were able to not only target their attacks on a specific country, but create convincing lures to fool banking customers. While cyber-criminals have specialized in different parts of the criminal ecosystem—such as creating tools, managing botnets or focusing on extortion—this represents a further refining of their focus, Haley said.

"The more evolved gangs are going to look to specialize in specific geographical areas or technical areas to this extent, because it is going to make them even more successful," he said.

The takedown efforts were coordinated by the operations center at Europol's European Cybercrime Center (EC3) in The Hague. Along with the United Kingdom's National Crime Agency, the U.S. Federal Bureau of Investigation and law enforcement agencies from France, Germany, Italy, the Netherlands, Poland and Turkey took part in the international anti-botnet effort, according to a Europol announcement of the takedown.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...