IBM Security Trusteer’s mobile security research team has warned of a major mobile banking fraud operation, in which cybercriminals are using emulated mobile devices to steal money from financial institutions.
The campaign targets banks in Europe and the US, the fraudsters managed to steal millions of dollars within a matter of days, IBM said.
“This is the work of a professional and organized gang that uses an infrastructure of mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts,” the research team noted.
The crooks behind this operation use mobile device identifiers to spoof an actual account holder’s device (likely previously compromised mobile devices). Using automation, scripting, and potentially access to a mobile malware botnet or phishing logs, the attackers, who have the victim’s username and password, initiate and finalize fraudulent transactions at scale.
IBM said that in some cases the fraudsters were observed using more than 20 emulators to spoof over 16,000 mobile devices and access compromised accounts.
“The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack,” according to the report.
Within the emulator farm each emulator was set up either to appear as an actual device, or as randomized “new” device. To ensure emulation was successful, the crooks conducted tests using legitimate apps. The attackers then used a custom tool capable of feeding device specs from a database of previously compromised devices, matching each of the spoofed devices with the account holder's banking credentials.
“When a compromised device operated from a specific country, the emulator spoofed the GPS location. From there, it connected to the account through a matching virtual private network (VPN) service. The attackers used a mix of legitimate tools available publicly (used mostly in testing) and customized applications likely created for the operation,” the IBM team explained.
“It is likely that those behind it are an organized group with access to skilled technical developers of mobile malware and those versed in fraud and money laundering. These types of characteristics are typical for gangs from the desktop malware realms, such as those operating TrickBot or the gang known as Evil Corp,” the report said.