Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices. While emulators are not malicious tools, the group behind this campaign used them for malicious purposes emulating compromised devices or setting up what looked like new devices picked up by the compromised accounts’ owners.
This attack demonstrates the extraordinary lengths that today\’s well funded and professional cybercriminal groups will go to when the end justifies the means.
Mobile devices present a multiplier effect as they become the mainstream platform for online banking. Consumer users need to protect themselves by understanding that mobile devices are not immune. It really is important to keep them updated, but also to verify the safety of installed apps and the validity of links being clicked. Most attacks start with phishing and at Lookout, we saw a 37% jump in mobile phishing in Q1-2020 alone. Mobile security is needed to mitigate that.
For the banks, the challenge comes from the huge range of devices being used to access their services which are not under their control. These may be insecure or already compromised. Customer education helps, but it is also critical to employ run-time application security to spot infected customer devices and block the opportunity for fraud.
While there are various things consumers can do to reduce their likelihood of becoming a victim of such attacks, financial institutions themselves seem to be in a much better position to combat this and other fraud schemes.
The banks themselves are the ones with the data to see the big picture and recognize fraudulent activity. Migrating customers to better forms of 2FA is a great starting point, but the authentication methods need to evolve faster and become better at recognizing suspicious behaviors. For example, the attackers in this case were using VPN providers as a relay to have an appropriate IP geography for their emulators. The use of regional IPs to fly under the radar was a smart move by the attackers but the bank should not have had any difficulty recognizing that users were suddenly logging in from VPN services who had never used them before. Rather than simply monitoring for suspicious IP address locations, they should have been tracking what networks (AS) the clients logged in from.
I think the area where we will see the most rapid improvements on this front is with machine learning algorithms capable of being trained to distinguish fraudulent sessions from legitimate ones using a dizzying array of data points. These systems can look at subtle behavioral aspects of a session and intervene to put the brakes on any suspicious-looking transactions before any funds are transferred.