RESEARCHERS FROM IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days, reported WIRED. The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices.
The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.
To bypass protections banks use to block such attacks, the crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases, the fraudsters gave the appearance that they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages, said Dan Goodin, editor at Ars Technica.
Commenting on the news, Andy Renshaw, VP of payment solutions and strategy at Feedzai, stated: “I would say this shows the need for a layered approach. I.e. multiple fraud prevention layers that are able to share and consume knowledge between them and then use ML to identify broader patterns that would not be obvious otherwise. Examples would include behavioral data as well device usage as well as customer and sending and receiving payment information.”
“The other aspect this shows is the commoditisation of fraud attacks and how fraudsters have got to the stage where failures are treated as learning exercises rather than material setbacks,” he added. “This is due to the almost ubiquitous availability of compromised accounts, devices to emulate and phone numbers to receive 2 factor sms on and a digital channel to test these combinations in. The industry needs to really think about the long term threat that this ubiquity presents but real time response and insight will be in effect be mandatory.”