Merchant of Malice: Trojan.Shylock Injects Phone Numbers into Online Banking Websites

Contributor: Peter Coogan

A strain of financial banking Trojans which runs browser-based man-in-the-middle (MITM) attacks has reared its ugly head once again. Trojan.Shylock is sophisticated malware which utilizes fake digital certificates and intercepts network traffic to inject code into banking websites. It tricks users into providing login and account details to cybercriminals. Recently, it has developed new tricks to steal user information.

Back in February, Trusteer published a blog stating that Trojan.Shylock had been observed injecting JavaScript which displayed a web-based chat screen to unsuspecting victims. The hackers controlled the chat screen and proceeded to query the victim for login credentials or other information required to gain access to their financial accounts.

Symantec has now observed another strain of Trojan.Shylock which includes updated configuration information. This configuration file is used to inject JavaScript containing the attacker’s telephone details into the contact pages of online banking websites. If users are met with any error or get suspicious, the hope is that they will attempt to contact the bank using the fake contact numbers instead of the real ones.
 


 

The numbers being used by the attacker are easy to create online and are disposable. When we attempted to call an injected fake telephone number, we were told the number had changed and we needed to call 08444101010 instead. We attempted to call this new number several times, but it rang without answer. While the exact motive of the attackers is not clear, we speculate that it is either an attempt to extract sensitive login credentials from victims during a telephone conversation or an attempt to block victims from notifying their bank of a problem with their account, giving the attackers more time to perform activities.

The following code is an example of raw HTML contained within the configuration file and injected into bank websites:
 


 

As can be seen in the above injected code, the attackers attempt to mislead the victim into contacting them with any queries related to their banking account.

Based on the collected configuration information, we know that Trojan.Shylock is specifically targeting UK online banking websites. In addition, Symantec’s telemetry for this malware also supports these findings as shown in this detection heat map for Trojan.Shylock:
 


 

To ensure the best protection, we recommend you use the latest Symantec Technologies and up-to-date antivirus definitions.