IBM researchers The trustee claims to have uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts within days.
The scale of the operation was unlike anything the researchers had seen before. In one case, crooks used around 20 emulators to impersonate more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In another case, a single emulator could spoof more than 8,100 devices.
The thieves then entered usernames and passwords into banking apps running on the emulators and launched fraudulent warrants that siphoned funds out of compromised accounts. Emulators are used by legitimate developers and researchers to test how apps work on a variety of different mobile devices.
To bypass protections used by banks to block such attacks, crooks used device IDs corresponding to each compromised account holder and spoofed GPS locations that the device was known to use. Device IDs were likely obtained from hacked cardholder devices, although in some cases scammers have appeared to be customers accessing their accounts from new phones. Attackers were also able to bypass multifactor authentication by accessing SMS messages.
“This mobile fraud operation was successful in automating the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and, in many cases, using those codes to carry out illicit transactions ”, explains Shachar Gritzman, researchers at IBM Trusteer and Limor Kessem written in a post. “The data sources, scripts, and custom apps the gang created flowed into an automated process that allowed them to steal millions of dollars from every victimized bank within days.”
Whenever the crooks were successful in clearing an account, they would remove the spoofed device that was accessing the account and replace it with a new device. Attackers also scanned devices in case they were rejected by a bank’s anti-fraud system. Over time, IBM Trusteer has seen operators launch separate attacks. Once one was completed, attackers would stop the operation, erase the data traces, and start a new one.
Researchers believe bank accounts have been compromised using malware or phishing attacks. The IBM Trusteer report does not explain how the crooks managed to steal SMS messages and device IDs. The banks were located in the United States and Europe.
To monitor the progress of operations in real time, the crooks intercepted communications between the spoofed devices and the banks’ application servers. The attackers also used logs and screenshots to track the operation over time. As the operation progressed, researchers saw attack techniques evolve as crooks learned from previous mistakes.
The operation raises the usual safety advice on use strong passwords, learn to spotting phishing scamsand keep the devices malware free. It would be nice if banks provided multi-factor authentication through a medium other than SMS, but few financial institutions do. People should review their bank statements at least once a month to look for fraudulent transactions.
This story originally appeared on Ars Technica.
More WIRED stories