IBM researchers The administrator said he discovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days.
The scale of the operation did not resemble anything the researchers had seen before. In one case, the scammers used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts were compromised. In a separate case, a single emulator managed to falsify more than 8,100 devices.
The thieves then entered usernames and passwords into banking applications running on emulators and initiated fraudulent bank orders that withdrew funds from compromised accounts. Emulators are used by legitimate developers and researchers to test how applications run on a variety of different mobile devices.
To circumvent the protections that banks use to block such attacks, scammers used device identifiers that correspond to each compromised account holder and forged GPS locations that the device was known to use. The device IDs were probably obtained from the owners’ pirated devices, although in some cases the fraudsters gave the impression that they were customers accessing their accounts on new phones. Attackers were also able to bypass multi-factor authentication by accessing SMS messages.
Fraud automation
“This mobile fraud operation has managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and, in many cases, using those codes to complete illicit transactions,” they said. said researchers Shachar Gritzman and IBM Trusteer. Limor Kessem wrote in a post. “The data sources, scripts and custom applications created by the gang went through a single automated process that allowed them the speed to rob millions of dollars from each victimized bank in a matter of days.”
Each time the scammers successfully drained an account, they would withdraw the fake device that accessed the account and replace it with a new device. The attackers also circulated through devices if they were rejected by a bank’s anti-fraud system. Over time, IBM Trusteer has seen operators launch distinct attack legs. Once one is over, the attackers will close the operation, delete the data traces and start a new one.
Researchers believe the bank accounts were compromised using either malware or phishing attacks. The IBM Trusteer report does not explain how the scammers managed to steal SMS messages and device IDs. The banks were located in the USA and Europe.
To monitor the progress of operations in real time, scammers intercepted communications between counterfeit devices and banks’ application servers. The attackers also used logs and screenshots to track the operation over time. As the operation progressed, researchers saw that attack techniques evolved as scammers learned from previous mistakes.
The operation raises the usual security tips on using strong passwords, learning how to identify phishing scams and keeping malware-free devices. It would be nice if banks provided multi-factor authentication through an environment other than SMS, but few financial institutions do. People should review their bank statements at least once a month to look for fraudulent transactions.
This story originally appeared on Ars Technica.
More wonderful stories