• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Mobile
  • A massive fraud operation used mobile device emulators to steal millions from online bank accounts

A massive fraud operation used mobile device emulators to steal millions from online bank accounts

Pierluigi Paganini December 20, 2020

Experts uncovered a massive fraud operation that used a network of mobile device emulators to steal millions of dollars from online bank accounts.

Researchers from IBM Trusteer have uncovered a massive fraud operation that leveraged a network of mobile device emulators to steal millions of dollars from online bank accounts in a few days.

The cybercriminals used about 20 mobile device emulators to mimic the phone of over 16,000 customers whose mobile bank accounts had been compromised.

According to the experts, this is one of the largest banking fraud operations ever seen, the hackers managed to steal millions of dollars from financial institutions in Europe and the US.

Experts also reported that in a single and separate case, cybercriminals spoofed 8,173 devices with a single emulator.

“This is the work of a professional and organized gang that uses an infrastructure of mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts.” reads the report published by the researchers. “In each instance, a set of mobile device identifiers was used to spoof an actual account holder’s device, likely ones that were previously infected by malware or collected via phishing pages.”

The threat actors obtained login credentials for online bank accounts using a mobile malware botnet or scraping phishing logs, then used them to finalize fraudulent transactions at scale.

The threat actors entered usernames and passwords into banking apps running on the emulators and then made fraudulent transactions.

Crooks used the emulators to bypass security measures implemented by banks to detect fraudulent transactions. They used device identifiers corresponding to each compromised account holder and spoofed GPS locations previously associated with the device. The attackers have obtained the device IDs from the infected devices were also able to bypass multi-factor authentication by accessing SMS messages.

The hackers developed an application for feeding the emulators with device specifications that were picked up automatically from a database of compromised device logs, providing speed and accuracy of all parameters to the emulator (i.e. brand, OS version, IMEI, and bootloader).

“Additionally, the automation matched the device with the account holder’s username and password for access to their bank account.” continues the analsysis.

“When a compromised device operated from a specific country, the emulator spoofed the GPS location. From there, it connected to the account through a matching virtual private network (VPN) service. The attackers used a mix of legitimate tools available publicly (used mostly in testing) and customized applications likely created for the operation.”

fraud operation

The crooks managed to automate the process of accessing accounts, starting the transaction, capturing the OTP code sent via SMS, finalize the illicit transactions.

IBM researchers pointed out that crooks would retire the spoofed device that was involved in a successful transaction, and replace it with a new device. The attackers also cycled through devices when they were rejected by the anti-fraud systems used by the banks.

The threat actors behind this fraud operation intercepted communications between the spoofed devices and the banks’ application servers to monitor the progress of operations in real-time.

“It is likely that those behind it are an organized group with access to skilled technical developers of mobile malware and those versed in fraud and money laundering. These types of characteristics are typical for gangs from the desktop malware realms, such as those operating TrickBot or the gang known as Evil Corp.” concludes IBM Trusteer.

“In subsequent attacks using the same tactics, we were able to see evolution and lessons learned when the attackers evidently fixed errors from past attacks. This is indicative of an ongoing operation that is perfecting the process of mobile banking fraud.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, fraud operation)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

banking fraud operation mobile

you might also like

Pierluigi Paganini June 24, 2025
The U.S. House banned WhatsApp on government devices due to security concerns
Read more
Pierluigi Paganini June 24, 2025
Russia-linked APT28 use Signal chats to target Ukraine official with malware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    Russia-linked APT28 use Signal chats to target Ukraine official with malware

    APT / June 24, 2025

    China-linked APT Salt Typhoon targets Canadian Telecom companies

    APT / June 24, 2025

    U.S. warns of incoming cyber threats following Iran airstrikes

    Cyber warfare / June 24, 2025

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT