IBM researchers Trusteer says they discovered a massive fraud operation that used a network of mobile device emulators to remove millions of dollars from online bank accounts within days.
The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones from customers whose mobile bank accounts had been compromised. In an individual case, a single emulator could spoof more than 8,100 devices.
The thieves then entered usernames and passwords into banking apps running on the emulators and started fraudulent money orders that took money from the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on different mobile devices.
To get around the protections that banks use to block such attacks, the crooks used device IDs that correspond to each compromised account holder and spoofed GPS locations that the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases the fraudsters give the impression that they were customers accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing text messages.
Automate fraud
“This mobile fraud operation managed to control the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (in this case SMS), and in many cases using those codes to complete illegal transactions. to automate, ”IBM Trusteer researchers Shachar Gritzman and Limor Kessem wrote in a post. “The data sources, scripts and custom applications that the gang created flowed into one automated process, allowing them to rob millions of dollars from every victimized bank within days.”
Each time the crooks successfully cleared an account, they would stop the counterfeit device accessing the account and replace it with a new one. The attackers also cycled through devices in case they were rejected by a bank’s anti-fraud system. Over time, IBM Trusteer saw the operators launch various attack legs. After one passed, the attackers stopped the operation, cleared data traces, and started a new one.
The researchers believe that bank accounts have been compromised through malware or phishing attacks. The IBM Trusteer report does not explain how the crooks managed to steal text messages and device IDs. The banks were located in the US and Europe.
To monitor the progress of operations in real time, the crooks intercepted communications between the counterfeit devices and the banks’ application servers. The attackers also used logs and screenshots to track the operation over time. As the operation progressed, the researchers watched the attack techniques evolve as the crooks learned from previous mistakes.
The operation brings out the usual security advice on using strong passwords, learning to recognize phishing attacks, and keeping devices free of malware. It would be nice if banks offer multi-factor authentication via a medium other than SMS, but few financial institutions do. People should check their bank statements for fraudulent transactions at least once a month.
This story originally appeared on Ars Technica.
More great WIRED stories