Recently, researchers uncovered a massive fraud operation in which cyber-thieves drained millions of dollars from online bank accounts. Read on to know more…
IBM Trusteer reported that a hacking group is using mobile emulators to spoof banking customers’ mobile devices and steal millions of dollars from banks in the U.S. and Europe.
Recently, researchers from IBM Trusteer disclosed that they have uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in U.S. and Europe in a matter of days. The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,000 devices.
Although the first wave of attacks using these mobile emulators has been stopped and the banks affected by the hacking have been notified, a second wave of attempts is likely already underway, says Limor Kessem, executive security adviser with IBM Security.
Mobile Emulators
Mobile emulators, which can mimic the activities of mobile devices, typically are used by developers to test applications and features on a wide array of device types. In the case IBM examined, the attackers used 20 mobile emulators to spoof over 16,000 compromised devices.
“The attackers use these emulators to repeatedly access thousands of customer accounts and ended up stealing millions of dollars in a matter of just a few days in each case,” according to an IBM report. “After one spree, the attackers shut down the operation, wiped traces and prepared for the next attack.”
The IBM report notes that each time an emulator successfully spoofed a device and used it to compromise an account, the spoofed device was then discarded and replaced by another spoofed device and the cycle of attack started over. In some cases, the attackers made it appear to the bank that the customer was attempting to access an account from a new device, which helped further trick security protections.
IBM’s researchers found that one emulator was able to spoof over 8,000 devices in a short time. Kessem notes obtaining access to mobile emulators is easy and inexpensive. Although it’s not clear who the attackers are, they appear well-funded and technically savvy, Kessem says.
“These uncovered emulator farms are highly sophisticated, allowing for scaled attacks and the testing and tweaking of fraud mechanisms,” says Eugene Kolodenker, staff security intelligence engineer at Lookout, which specializes in mobile security. “By using emulators, the threat actor is able to move the fraud performing actions off of the infected device to a more maliciously controlled environment.”
Modus Operandi
The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.
To bypass protections banks use to block such attacks, the cyber-crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases, the fraudsters gave the appearance that they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.