IBM researchers Administrators said they discovered a massive fraud operation that used a network of mobile device emulators to deplete millions of dollars of online bank accounts in a matter of days.
The scale of the operation did not resemble anything else that researchers have seen before. In one case, the thieves used about 20 emulators to mimic more than 16,000 customer phones with compromised mobile bank accounts. In a separate case, a single emulator was able to counterfeit more than 8,100 devices.
The thieves then entered usernames and passwords into the banking applications running on the emulators and initiated fraudulent money orders that withdrew funds from the compromised accounts. Legitimate developers and researchers use emulators to test how applications run on various mobile devices.
To prevent protections used by banks to block these attacks, thieves used device identifiers corresponding to each compromised account holder and counterfeit GPS locations that the device used. Device identifiers were probably obtained from hacked devices from the holders, although in some cases the scammers appeared to be customers accessing their accounts from new phones. Attackers were also able to prevent multifactor authentication by accessing SMS messages.
Fraud automation
“This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and, in many cases, using these codes to complete illicit transactions.” , said Shachar Gritzman, researchers at IBM Trusteer. Limor Kessem wrote in a post. “The data sources, scripts and custom applications the gang created flowed in an automated process that provided a speed that allowed them to steal millions of dollars from each victimized bank in a matter of days.”
Each time thieves successfully drained an account, they removed the counterfeit device that accessed the account and replaced it with a new device. The attackers also circulated devices in case they were repulsed by a bank’s anti-fraud system. Over time, IBM Trusteer saw operators launch different attacks. Once one was finished, the attackers would close the operation, delete the data traces and start a new one.
Investigators believe the bank accounts were compromised by malware or fishing attacks. The IBM Trusteer report does not explain how the thieves managed to steal SMS messages and device identifiers. The banks were located in the United States and Europe.
To monitor the progress of real-time operations, thieves intercepted communications between counterfeit devices and banks ’application servers. The attackers also used logs and screenshots to track the operation over time. As the operation progressed, investigators saw how attack techniques evolved as thieves learned from previous mistakes.
The operation raises the usual security tips on using secure passwords, learning how to detect fishing scams, and keeping devices free of malware. It would be nice for banks to provide multifactor authentication through a medium other than SMS, but few financial institutions do. People should check their bank statements at least once a month for fraudulent transactions.
This story originally appeared on Ars Technica.
Bigger cable stories