Banks lose millions of dollars in mobile hack

IBM Security has discovered a major mobile banking fraud operation that managed to “steal millions of dollars” from financial institutions in Europe and the US “within a matter of days”.

IBM Security's Trusteer mobile security research team said that the attacks have now been intercepted and halted.

They added: “This was the work of a professional and organised gang that used mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts.”

Mobile emulators are legitimate software used for virtualisation needs.

An emulator can mimic the characteristics of a variety of mobile devices without the need to purchase them, and is typically used by developers to test applications and features on a wide array of device types.

In each attack instance, a set of mobile device identifiers was used to spoof an actual account holder’s device, likely ones that were previously infected by malware or collected via phishing pages.

Using automation, scripting and potentially access to a mobile malware botnet or phishing logs, the attackers, who had the victims' usernames and passwords, initiated and finalised fraudulent transactions “at scale.”

They automated large numbers of fraudulent money transfers, being careful to keep them under amounts that triggered further review by the banks.

“The scale of this operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices,” said Shachar Gritzman, a mobile malware researcher at IBM Security's Trusteer.

“The attackers used these emulators to repeatedly access thousands of customer accounts and ended up stealing millions of dollars in a matter of just a few days in each case.”

After each spree, he said, the attackers shut down the operation, wiped traces and prepared for the next attack.

Gritzman added: “Given the size and scale of this attack, we published details of it to urgently raise awareness to the sophistication of the campaign, and to help financial institutions prepare for potential similar attacks on their customer base.”

    Share Story:

Recent Stories

New Business Frontiers
FStech’s Mark Evans discusses the future of financial services with Liu Jianning of Huawei, covering the limitations that current thinking can impose, how financial institutions can embrace technology to be both agile and resilient, and making space for the organisation to focus on the job of creating innovative business models and on delivering business value for their customers.

The Future of Intelligent Finance
FStech Group Editor Mark Evans sits down with Jason Cao, President of Global Financial Services Business Unit, Enterprise BG at Huawei ahead of its Intelligent Finance Summit which was held on 3rd and 4th of June in Shanghai. This Q&A delves into key trends in digital transformation of the financial services industry as well as a look at how data, robotic infrastructure, intelligent storage and innovative technologies are shaping the future for FSIs.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.