The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.


Shylock refers to a family of malware that relies on browser-based man-in-the-middle (MITM) attacks and fake digital certificates to intercept network traffic and inject code into banking websites.

The Shylock malware code is designed to trick customers into providing banking login and account details to hackers instead of to the bank’s customer service department. Some Shylock strains even have the ability to open a fake customer service chat window on an infected computer to enable cybercriminals to prompt the user for their sensitive account information.

This malware is capable of using advanced “Man-in-the-Browser” (MITB) techniques to steal a victim’s credentials and perform fraudulent transactions. Attackers gain control of the victim’s browser by exploiting security vulnerabilities to modify the web pages displayed to the victim. Shylock is also capable of defeating two-factor authentication security mechanisms employed as counter measures at some of these banks.

When a victim logs into their bank on an infected machine, their credentials are sent to the bank and the attackers. This allows the attackers to assume control of the account and initiate fraudulent transactions. In order to distract the user, a number of diversion tactics are used by the attackers. For example, the diversion tactic used against customers of one is a window pretending to perform additional security checks on the computer.

Once the attackers have successfully executed a transaction, they are capable of further socially engineering the user into providing additional transaction authorizations. Alternatively, Shylock can display a notification which will prevent the user from using their online banking as a delaying tactic to prevent them from noticing any suspicious activity.

More advanced than other banking Trojans, Shylock has a targeted distribution network that allows the cyberattackers to infect victims through multiple channels, and the Trojan has been continuously updated in response to countermeasures set by targeted banks. In addition, the malware is modular, allowing criminals to change its functionality quickly and easily.

To avoid this, netizens should be cautious in visiting web pages with malicious code, for this will disallow the attacker to compromise through the infected system. It is best to install security software with warning signals for the detection of malicious software


       All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of shylock malware attack, to wit:

  • Always update the anti-virus software installed in your computer and conduct regular full scanning at least once a week;
  • Do not open e-mail attachments or hyperlinks you receive from an unknown sender or they could contain malware;
  • Avoid entering your sensitive data while using a public Wi-Fi network;
  • Try to avoid phishing websites: check whether a site uses a secure connection (https in the beginning of address bar); and
  • Even if you receive a message with a link or attachment from a friend in a social network or messenger, try to verify the legitimacy of the message via alternative communication channels. Unfortunately, hacked social networks and messengers accounts are often used to spread malware.

For additional information, please refer to the following websites:



            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.