A notorious strain of banking malware, known as Caphaw - or Shylock, due to snippets of Shakespeare’s Merchant of Venice embedded in its code - has seen its command and control servers shut down in a major international police operation involving law enforcement from eight countries.
The British National Crime Agency (NCA) claims that the malware infected 10,000 PCs in Britain alone, and 30,000 worldwide, with victims in America among other countries.
ESET has tracked the banking malware since 2011, and ESET researchers have followed it closely since February 2013. In a detailed blog post, ESET researchers write, “Win32/Caphaw is an interesting financial malware family: one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen, because he sees fake data on the banking web page based on the webinjects’ rules. (Autoloads bypass one-time password security checks.)”
Banking malware hits 30,000 users
ESET’s Virus Radar shows territories most affected by the banking malware. Britain’s NCA said in a statement that while the gang behind it is not thought to be British, the banking malware appeared to target British banks in particular, hence the NCA coordinated an international effort from the European Cybercrime Centre at Europol in the Hague.
“Victims are typically infected by clicking on malicious links, and then being convinced to download and run the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers,” the NCA said.
"The NCA is co-ordinating an international response to a cybercrime threat to businesses and individuals around the world," Andy Archibald, deputy director at the NCA's National Cyber Crime Unit said in an interview with The Guardian.
"This phase of activity is intended to have a significant effect on the Shylock infrastructure and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime impacting the UK."
Shylock banking malware - what to do
The NCA advises users worried about the banking malware to ensure their security software is up to date.
It says in a statement, “The latest operating system update will result in the removal of Shylock infections in machines which have been set to automatically update Windows.
Computer users opting for automated operating system updates - which can ensure computers infected with malware such as Shylock are cleaned automatically - need take no action at this time. Those not opting for automatic updates, or who would like to learn more about how to check their Windows-operated computers and remove infection, can go to: http://support.microsoft.com/gp/cu_sc_virsec_master.”
ESET offers tips on how to spot and avoid banking malware and scams alongside the latest updated banking malware news from ESET researchers.