Massive fraud operation stole millions from online bank accounts
IBM researchers Trusteer said he discovered a massive fraudulent operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts within days.
The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used around 20 emulators to impersonate more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices.
The thieves then entered usernames and passwords into banking apps running on the emulators and launched fraudulent money orders that siphoned funds from compromised accounts. Emulators are used by legitimate developers and researchers to test how apps work on various mobile devices.
To bypass protections used by banks to block such attacks, crooks used device IDs corresponding to each compromised account holder and spoofed GPS locations that the device was known to use. Device IDs were most likely obtained from hacked devices of holders, although in some cases scammers have made it appear as if they were customers accessing their accounts from new phones. Attackers were also able to bypass multifactor authentication by accessing SMS messages.
“This mobile fraud operation was successful in automating the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and, in many cases, using these codes to conduct illicit transactions, ”said Shachar Gritzman and IBM Trusteer researchers. Limor Kessem wrote in a post. “The data sources, scripts and custom applications created by the gang flowed through an automated process that allowed them to steal millions of dollars from each victim bank within days. “
Whenever the crooks emptied an account successfully, they would remove the spoofed device that accessed the account and replace it with a new device. Attackers also scanned the devices in case they were rejected by a bank’s anti-fraud system. Over time, IBM Trusteer has seen operators launch separate attacks. Once one was completed, attackers would stop the operation, erase the data traces, and start a new one.
Researchers believe bank accounts have been compromised using malware or phishing attacks. The IBM Trusteer report does not explain how the crooks managed to steal SMS messages and device IDs. The banks were located in the United States and Europe.
To monitor the progress of operations in real time, crooks intercepted communications between spoofed devices and banks’ application servers. The attackers also used logs and screenshots to track the operation over time. As the operation progressed, researchers saw attack techniques evolve as crooks learned from previous mistakes.
The operation raises the usual security tips for using strong passwords, learning how to spot phishing scams, and protecting devices from malware. It would be nice if banks provided multi-factor authentication via a means other than SMS, but few financial institutions do. People should review their bank statements at least once a month to look for fraudulent transactions.
This story originally appeared on Ars Technica.
More great WIRED stories