Researchers at IBM discovered a brand new type of massive banking fraud campaign that raked in millions of dollars over the course of a few days before it was put to a stop.
The attackers gained access to thousands of victims’ online bank accounts, either through phishing attacks or malware, then used mobile emulators to impersonate the victims’ phones.
Emulator Farming On An Industrial Scale
Mobile emulators are virtualization software that can imitate a real phone, and are usually used for legitimate purposes. The criminals in this case, however, used them to avoid triggering alerts when they transferred money out of the victims’ accounts.
“This is the work of a professional and organized gang that uses an infrastructure of mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts,” the researchers explain.
“In each instance, a set of mobile device identifiers was used to spoof an actual account holder’s device, likely ones that were previously infected by malware or collected via phishing pages. Using automation, scripting, and potentially access to a mobile malware botnet or phishing logs, the attackers, who have the victim’s username and password, initiate and finalize fraudulent transactions at scale.
In this automatic process, they are likely able to script the assessment of account balances of the compromised users and automate large numbers of fraudulent money transfers being careful to keep them under amounts that trigger further review by the bank.”
The operation was enormous and well-planned
The researchers stress that this operation was enormous and well-planned, and they expect to see similar campaigns in the future.
“The scale of this operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices,” IBM says. “The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack.”
Attackers could also intercept two-factor authentication
IBM says the attackers could also intercept certain two-factor authentication measures in order to approve transactions.
“It’s of note that the emulator attacks we analyzed have the potential to work on any application that offers online access to customers, especially financial institutions, anywhere in the world,” the researchers write. “This is applicable even where transactions are approved with a code sent via SMS, and potentially also voice calls, or an email message.”
Two-factor authentication is an important security measure, but it won’t stop every attack. New-school security awareness training can give your organization a layered defense by teaching your employees how to follow security best practices and avoid falling for social engineering attacks.