Investigators uncovered a massive fraud campaign in which millions of dollars were drained from victims' online bank accounts. The operation was discovered by experts from IBM Trusteer, the IT giant's security division, who described the attack as unprecedented in scale. To access online bank accounts, the scammers allegedly used software called a mobile emulator, which creates a virtual clone of a smartphone. In this case, thousands of these emulated devices were used to infiltrate online bank accounts that had already been compromised in previous malware and phishing attacks. Bypassing the protections using GPS and VPN techniques and spoofing device IDs attached to each account, the hackers were able to execute orders that embezzled funds from the account.
Online banking fraud
Mobile emulation apps have a variety of legitimate use cases, primarily in app development and penetration testing, but they can also be abused by cybercriminals. In this case, an extensive network of emulators was used to execute large-scale financial fraud. “In some cases, more than 20 emulators were used in the spoofing of more than 16.000 compromised devices. Attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of days,” wrote Shachar Gritzman and Limor Kessman, Trusteer researchers. According to the pair, the attackers were careful to keep operations below amounts that could trigger further investigation, and after completing the attack, they were careful to cover their tracks. “Every time a device was used by the system during a successful transfer, it was 'recycled' and replaced by another unused device. The same thing happened when financial institutions blocked a device,” the researchers added. Although there is little that people can do to protect themselves against mobile emulation attacks of this sophistication, the theft of funds could not have occurred if the accounts had not been compromised beforehand. So using a password manager to generate strong, unique passwords and being careful when opening files sent via email will at least help protect mobile users.