Massive Fraud Operation Facilitated By Evil Mobile Emulator Steals Millions From Banks

Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices. While emulators are not malicious tools, the group behind this campaign used them for malicious purposes emulating compromised devices or setting up what looked like new devices picked up by the compromised accounts’ owners. 

Experts Comments

December 18, 2020
Tom Davison
EMEA Technical Director
Lookout
This attack demonstrates the extraordinary lengths that today's well funded and professional cybercriminal groups will go to when the end justifies the means. Mobile devices present a multiplier effect as they become the mainstream platform for online banking. Consumer users need to protect themselves by understanding that mobile devices are not immune. It really is important to keep them updated, but also to verify the safety of installed apps and the validity of links being clicked. Most.....Read More
This attack demonstrates the extraordinary lengths that today's well funded and professional cybercriminal groups will go to when the end justifies the means. Mobile devices present a multiplier effect as they become the mainstream platform for online banking. Consumer users need to protect themselves by understanding that mobile devices are not immune. It really is important to keep them updated, but also to verify the safety of installed apps and the validity of links being clicked. Most attacks start with phishing and at Lookout, we saw a 37% jump in mobile phishing in Q1-2020 alone. Mobile security is needed to mitigate that. For the banks, the challenge comes from the huge range of devices being used to access their services which are not under their control. These may be insecure or already compromised. Customer education helps, but it is also critical to employ run-time application security to spot infected customer devices and block the opportunity for fraud.  Read Less
December 18, 2020
Craig Young
Principal Security Researcher
Tripwire
While there are various things consumers can do to reduce their likelihood of becoming a victim of such attacks, financial institutions themselves seem to be in a much better position to combat this and other fraud schemes. The banks themselves are the ones with the data to see the big picture and recognize fraudulent activity. Migrating customers to better forms of 2FA is a great starting point, but the authentication methods need to evolve faster and become better at recognizing suspicious.....Read More
While there are various things consumers can do to reduce their likelihood of becoming a victim of such attacks, financial institutions themselves seem to be in a much better position to combat this and other fraud schemes. The banks themselves are the ones with the data to see the big picture and recognize fraudulent activity. Migrating customers to better forms of 2FA is a great starting point, but the authentication methods need to evolve faster and become better at recognizing suspicious behaviors. For example, the attackers in this case were using VPN providers as a relay to have an appropriate IP geography for their emulators. The use of regional IPs to fly under the radar was a smart move by the attackers but the bank should not have had any difficulty recognizing that users were suddenly logging in from VPN services who had never used them before. Rather than simply monitoring for suspicious IP address locations, they should have been tracking what networks (AS) the clients logged in from. I think the area where we will see the most rapid improvements on this front is with machine learning algorithms capable of being trained to distinguish fraudulent sessions from legitimate ones using a dizzying array of data points. These systems can look at subtle behavioral aspects of a session and intervene to put the brakes on any suspicious-looking transactions before any funds are transferred.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.