IBM Security Trusteer’s mobile security research team has uncovered a major fraud campaign that used mobile emulators to steal millions of dollars from financial institutions in Europe and the US within a matter of days.
The research team says that the hackers used an infrastructure of mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts.
In each instance, a set of mobile device identifiers was used to spoof an actual account holder’s device, likely ones that were previously infected by malware or collected via phishing pages.
Using automation, scripting, and potentially access to a mobile malware botnet or phishing logs, the attackers, who have the victim’s username and password, initiate and finalise fraudulent transactions at scale. In this automatic process, they are likely able to script the assessment of account balances of the compromised users and automate large numbers of fraudulent money transfers being careful to keep them under amounts that trigger further review by the bank.
An emulator can mimic the characteristics of a variety of mobile devices without the need to purchase them and is typically used by developers to test applications and features on a wide array of device types.
IBM Trusteer says that the scale of the operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices.
Says the company: "The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack."
In subsequent attacks using the same tactics, IBM Trusteer was able to see evolution and lessons learned when the attackers evidently fixed errors from past attacks.
IBM Trusteer's intelligence team has also observed a trending fraud-as-a-service offering in underground venues that promises access to the same type of operation to anyone willing to pay for it, with or without the required skill.
"This lowers the entry bar for would-be criminals or those who plan to transition into the mobile fraud realm," says the research unit. "It also means this at-scale automation scheme can be adapted to almost any financial institution in a variety of countries and territories and is likely to become a growing trend among cybercriminals."