Device Emulators Used in Major Mobile Banking Fraud Operation

Summary

IBM Security Trusteer’s researchers discovered an organized mobile banking fraud operation targeting US and European financial institutions and stealing millions of dollars, with each attack only taking days to execute. Despite the intercepted operations, fraud-as-a-service offerings on underground markets may launch similar attacks and target other countries or territories. Any application, especially those for financial institutions, are potentially at risk where transactions are approved via SMS code, voice call, or email message. The threat actors leveraged compromised credentials, device identifiers and data gathered via compromised mobile devices, and SMS message contents. Using this information, they employed automation to target specific applications, network interception scripts to communicate with the targeted application’s API to evade detection, and possibly mobile malware botnets or phishing logs to initiate and complete fraudulent transactions. After one attack, the threat actors shut down operations, wiped traces, and prepared for the next attack. Over 20 virtual mobile device emulators were leveraged in the attacks to maliciously spoof over 16,000 compromised mobile devices rapidly and at scale.

Recommendations

The NJCCIC recommends users exercise caution with unsolicited communications, keep systems and apps up to date, obtain apps from legitimate developers/companies through official app stores, and monitor and report suspicious account activity. Further technical details can be found in the IBM Security Intelligence post.