A group of cybercriminals used mobile emulators to spoof thousands of mobile devices , which enabled them to steal millions of dollars within days.
Targeting financial institutions in Europe and the United States, the mobile banking fraud operation relied on over 20 emulators to spoof more than 16,000 mobile devices and access compromised accounts.
Mobile device identifiers were used to spoof the devices of the account holders, but in some cases the attackers set up new identifiers, to make it seem as if the user was accessing the account from a new device. Credentials stolen from infected systems or via phishing were also used.
“Using automation, scripting, and potentially access to a mobile malware botnet or phishing logs, the attackers, who have the victim’s username and password, initiate and finalize fraudulent transactions at scale,” IBM Security Trusteer’s researchers, who discovered the operation, explain.
The attackers likely automated account assessment and the initiation of fraudulent money transfers, while being careful to keep the amounts low enough to ensure their activity won’t trigger further review by the bank.
Using the network of thousands of spoofed devices, the crooks repeatedly accessed the accounts of thousands of people, eventually stealing millions of dollars within days, per attack.
“After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack,” the researchers explain.
Despite the use of emulators, the attacks can target any financial application, even those that are approved using codes sent via SMS or email.
The individuals behind this operation were likely in the possession of account holders’ usernames and passwords, had access to device identifiers and other data (likely from compromised devices), and were able to obtain SMS message content.
Furthermore, they leveraged a customized automation environment to specifically target financial applications, used a set of virtual mobile emulators to spoof a larger number of devices, and employed network interception scripts to submit transactions and monitor communications.
Using legitimate apps, the attackers tested their emulators to ensure they would pass as real devices. They also leveraged a custom application that would automatically deliver the necessary device parameters to the emulator, while matching the device with the account holder’s username and password.
Devices successfully used for fraudulent transfers were recycled and replaced with unused devices. Blocked devices were also replaced. In one attack, a single emulator was used to spoof more than 8,000 devices.
The attackers also created custom-tailored applications that would mimic the application they were targeting. They also kept a close eye on how the target applications reacted to the connections from their spoofed devices.
“It is likely that those behind [this operation] are an organized group with access to skilled technical developers of mobile malware and those versed in fraud and money laundering. These types of characteristics are typical for gangs from the desktop malware realms, such as those operating TrickBot or the gang known as Evil Corp,” IBM says.
The security researchers also discovered fraud-as-a-service offerings on underground markets promising access to similar operations for paying subscribers. This suggests not only that any wannabe cybercriminal may launch similar attacks, but also that the scheme can be adapted to target financial institutions in almost any country, the researchers note.
Related: Is Chasing Malware Really Helping You Reduce Fraud?
Related: Mobile Payment Fraud on the Rise