“Unhealthy cellular emulator farms” used to steal thousands and thousands from US and EU banks


Getty Images

IBM Trusteer researchers say they have uncovered a massive fraud operation that used a network of mobile device emulators to withdraw millions of dollars from online bank accounts within days.

The extent of the surgery was unlike anything the researchers have seen before. In one case, crooks used around 20 emulators to mimic more than 16,000 phones from customers whose mobile bank accounts had been compromised. In a separate case, a single emulator could counterfeit more than 8,100 devices, as shown in the following figure:

IBM Trusteer

The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that were used to withdraw funds from the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on different mobile devices.

To bypass the protection banks use to block such attacks, the crooks used device identifiers that match each compromised account holder, as well as fake GPS locations that the device is known to use. The device IDs were likely obtained from the owners' hacked devices, although in some cases the scammers appeared to be customers who accessed their accounts on new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.


Automate fraud

"This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (in this case SMS) and, in many cases, using these codes to complete illegal transactions," said it IBM Trusteer researchers Shachar Gritzman and Limor Kessem wrote in a post. "The data sources, scripts and custom applications created by the gang flowed into an automated process that enabled them to rob millions of dollars from every affected bank in a matter of days."

Every time the crooks successfully emptied an account, they withdrew the fake device that accessed the account and replaced it with a new device. The attackers also went through devices in case they were rejected by a bank's anti-fraud system. Over time, IBM Trusteer saw the servers launch different sections of the attack. After one was finished, the attackers switched off the process, deleted traces of data and started a new one.

The researchers believe that bank accounts have been compromised by either malware or phishing attacks. The IBM Trusteer Report does not explain how the crooks managed to steal SMS messages and device IDs. The banks were in the US and Europe.

In order to monitor the progress of operations in real time, the crooks intercepted communications between the counterfeit devices and the banks' application servers. The attackers also used logs and screenshots to track the process over time. As the operation progressed, researchers saw attack techniques evolve as the crooks learned from previous mistakes.

The process includes the usual security guidelines for using strong passwords, detecting phishing scams, and protecting against malware. It would be nice if banks provided multi-factor authentication over a medium other than SMS, but only a few financial institutions. Individuals should check their bank statements at least once a month to look for fraudulent transactions.


Steven Gregory