A Massive Fraud Operation Stole Millions From Online Bank Accounts
IBM researchers claim that they have uncovered a widespread automated fraud operation that leveraged a network of mobile device emulators to stead millions of dollars from targeted bank accounts in just days. The scale of the operation is unprecedented. According to IBM, the cybercriminals behind the campaign used roughly 20 emulators to mimic more than 16k phones of customers whose mobile bank account passwords had been compromised. In another case, one emulator spoofed more than 8,100 devices to access bank accounts and steal money.
The cybercriminals were then able to enter stolen usernames and passwords into apps running on the emulators, conducting fraudulent money orders that took funds out of the targeted accounts. Emulators are often used by legitimate developers to test how their apps act on a variety of different mobile devices to ensure that the user interface is effective. The massive fraud campaign is telling in that it shows the expanding capabilities of cybercriminals. The relatively new technique proved to be successful in draining money from accounts and will likely be seen again in instances where two-factor authentication is not implemented.