![]() Customized network interception scripts that communicated with the targeted application’s API.A set of virtual mobile emulators, dozens in each case, to amplify the ability to spoof a larger number of devices and cycle through new ones rapidly and at scale.A customized automation environment tailored to targeted applications and the logical flow of events to approve transactions.Some ability to obtain SMS message contents.Access to device identifiers and data likely gathered via compromised mobile devices.Access to account holders’ usernames and passwords.Looking at the overall infrastructure, or anatomy of the attacks, shows that the attackers based their schemes on a few major components: ![]() This is applicable even where transactions are approved with a code sent via SMS, and potentially also voice calls, or an email message. It’s of note that the emulator attacks we analyzed have the potential to work on any application that offers online access to customers, especially financial institutions, anywhere in the world. In this case, they were leveraged in an attack and used maliciously to spoof compromised mobile devices. An emulator can mimic the characteristics of a variety of mobile devices without the need to purchase them and is typically used by developers to test applications and features on a wide array of device types. Mobile emulators are inherently legitimate software used for virtualization needs. This post goes into further detail about what we found and how to mitigate risk from such coordinated and customized attacks. Given the size and scale of this attack, we are publishing this blog to urgently raise awareness to the sophistication of the campaign, and to help financial institutions prepare for potential similar attacks on their customer base. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack. The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. ![]() The scale of this operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices. In this automatic process, they are likely able to script the assessment of account balances of the compromised users and automate large numbers of fraudulent money transfers being careful to keep them under amounts that trigger further review by the bank. Using automation, scripting, and potentially access to a mobile malware botnet or phishing logs, the attackers, who have the victim’s username and password, initiate and finalize fraudulent transactions at scale. In each instance, a set of mobile device identifiers was used to spoof an actual account holder’s device, likely ones that were previously infected by malware or collected via phishing pages. This is the work of a professional and organized gang that uses an infrastructure of mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts. ![]() IBM Security Trusteer’s mobile security research team has recently discovered a major mobile banking fraud operation that managed to steal millions of dollars from financial institutions in Europe and the US within a matter of days in each attack before being intercepted and halted. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |