“Bad Mobile Emulator Farms” Steal Millions From US And EU Banks | GeekComparison

Getty Images

IBM Trusteer researchers say they uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts within days.

The scope of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been hacked. In another case, a single emulator could fake more than 8,100 devices, as shown in the following image:

IBM Trusteer

The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphon funds from the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps work on different mobile devices.

To circumvent the safeguards banks use to block such attacks, the crooks used device IDs matching each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases the fraudsters gave the impression that they were customers accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing text messages.

Automate Fraud

“This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case), and in many cases using those codes to complete illegal transactions” , IBM Trusteer researchers Shachar Gritzman and Limor Kessem wrote in a post. “The data sources, scripts, and custom applications the gang created flowed together into one automated process that provided speed that allowed them to rob millions of dollars from any victim bank within days.”

Every time the crooks successfully emptied an account, they would remove the counterfeit device that accessed the account and replace it with a new one. The attackers also cycled through devices in case they were rejected by a bank’s anti-fraud system. Over time, IBM Trusteer saw the operators launch several attack legs. After one ended, the attackers would shut down the operation, erase data traces, and start a new one.

The researchers believe that bank accounts have been hacked with malware or phishing attacks. The IBM Trusteer report does not explain how the crooks managed to steal text messages and device IDs. The banks were located in the US and Europe.

To monitor the progress of operations in real time, the crooks intercepted communications between the counterfeit devices and the banks’ application servers. The attackers also used logs and screenshots to track the operation over time. As the operation progressed, the investigators saw the attack techniques evolve as the crooks learned from past mistakes.

The operation raises the usual security advice about using strong passwords, learning to recognize phishing scams and keeping devices free of malware. It would be great if banks offered multi-factor authentication through a medium other than SMS, but few financial institutions do. People should check their bank statements at least once a month for fraudulent transactions.

Leave a Comment