A strain of financial banking Trojans which runs browser-based man-in-the-middle (MITM) attacks has reared its ugly head once again. Trojan.Shylock is sophisticated malware which utilizes fake digital certificates and intercepts network traffic to inject code into banking websites. It tricks users into providing login and account details to cybercriminals. Recently, it has developed new tricks to steal user information.
The numbers being used by the attacker are easy to create online and are disposable. When we attempted to call an injected fake telephone number, we were told the number had changed and we needed to call 08444101010 instead. We attempted to call this new number several times, but it rang without answer. While the exact motive of the attackers is not clear, we speculate that it is either an attempt to extract sensitive login credentials from victims during a telephone conversation or an attempt to block victims from notifying their bank of a problem with their account, giving the attackers more time to perform activities.
The following code is an example of raw HTML contained within the configuration file and injected into bank websites:
As can be seen in the above injected code, the attackers attempt to mislead the victim into contacting them with any queries related to their banking account.
Based on the collected configuration information, we know that Trojan.Shylock is specifically targeting UK online banking websites. In addition, Symantec’s telemetry for this malware also supports these findings as shown in this detection heat map for Trojan.Shylock:
To ensure the best protection, we recommend you use the latest Symantec Technologies and up-to-date antivirus definitions.
Leave a reply