Attackers set up a network of mobile emulators capable of spoofing devices of real banking customers from the United States and Europe, according to an investigation from IBM Trusteer.
The process of stealing someone’s banking information is not easy, but setting up a system in which attackers use that data in an automated way, permitting them to hit thousands of targets in the course of a few days, is not so common.
The automation process is possible with the help of mobile emulators that act like the real devices. After attackers get their hands on valid customer accounts, in conjunction with compromised devices, they spoof real devices and steal a lot of money in a very short amount of time.
“The scale of this operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices,” said IBM. “The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack.”
To carry out an attack of this magnitude, attackers need a lot of information, usually including the account holders’ usernames and passwords, access to mobile identifiers, and SMS message contents (to bypass two-factor authentication.) These last two conditions imply that spoofed mobile devices are already infected with malware.
Even if the compromised device and the emulator are in different countries, the software could spoof the GPS location.
“When a compromised device operated from a specific country, the emulator spoofed the GPS location. From there, it connected to the account through a matching virtual private network (VPN) service,” IBM also said.
The operation lasted only a few days, then the attackers closed shop and erased all traces. Security researchers say they are likely ramping up for another campaign, so they issued a warning to financial institutions to protect their customers’ information better and implement security solutions to deter this type of fraud.
Customers are not without obligations in this situation. They should be wary of unsolicited SMS messages, never install apps from unknown sources, regularly check banking statements to spot anomalies and use security solutions on mobile devices.