Scammers stole millions using mobile emulators

[Carding]

The use of emulators allows cybercriminals to replace mobile devices tied to online banking systems and withdraw millions of dollars from victims' accounts in a matter of days. The identified fraud scheme is targeted at financial institutions in the United States and Western Europe.

Researchers from IBM particularly noted the scale of the fraudulent operations: there were cases when the performers of the scheme used more than 20 emulators to replace 16 thousand mobile devices. During one of the attacks, its author, using a single emulator, was able to successfully simulate 8,000 smartphones and gain unauthorized access to thousands of RBS accounts.

According to observations, fraudsters repeatedly enter the same account, each time withdrawing a small amount - so as not to alert the bank's information security service. To spoof mobile devices, they use stolen identifiers (brand, OS version, IMEI, etc.) purchased from malware operators or phishers, and sometimes replace them with new ones to create the appearance of logging into an account from another device.

Bank account holders' credentials also appear to be purchased on the black market. Determining the value of a compromised account and launching a fraudulent transaction is most likely automated using special scripts. The emulators used by the fraudsters are also capable of spoofing the geolocation data of compromised devices and providing connection to accounts through an adequate VPN service.

Before using such a program, cybercriminals test it using legitimate tools. Downloading the data of the target device and linking the fake to the victim's account is done using a custom application. After that, the effectiveness of spoofing is checked by the reaction of the target bank client to the connection.

To protect their farm from detection, the operators organized the rotation of used devices. Blocking any of them immediately entails replacement.

“Using automation, scripting, and possibly access to a botnet on mobile malware or phishing results, attackers armed with victim logins and passwords initiate and complete many fraudulent transactions,” the researchers write. "With a series of attacks, they wind up operations, cover their tracks and prepare for the next volley."

Notably, this fraudulent scheme allows any application that provides online access to be attacked anywhere in the world. And fraudulent transactions are successfully carried out even in cases when for confirmation it is required to enter a code sent by the bank via SMS or e-mail.

The researchers also found a specialized service for banking fraudsters on the darknet that offers a similar spoofing service with a paid subscription.