'Evil Mobile Emulator Farms' Used To Steal Millions From US and EU Banks

An anonymous reader quotes a report from Ars Technica: Researchers from IBM Trusteer say they've uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days. The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices.

The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices. To bypass protections banks use to block such attacks, the crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders' hacked devices, although in some cases, the fraudsters gave the appearance they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.

Don't do banking on your phone.

[olsmeister]

It's a horrible idea, and you're asking for trouble if you do. Never install an app from your bank on your phone.

Re:Don't do banking on your phone.

[JaredOfEuropa]

It's not much worse than banking on a PC. The main thing is: have proper 2FA. And I wish banks would finally learn that SMS is not secure enough for 2FA. One of my banks uses SMS, the other one uses an offline device that accepts my debit card; the chip on the card handles a challenge / response after entering the PIN on the device.

Re:

[kurkosdr]

The article clearly says that the fraudsters were able to bypass SMS 2FA. This brings me to my point: Once you use a particular communication method to perform 2FA, it immediately becomes a major target, and whatever security issues exist with it suddenly become the weakest link (nobody cared about SMS spoofing before SMS 2FA became a thing). So far we have used Email and SMS for 2FA, now we are moving to dedicated apps. For example, my employer uses a thing called "Okta verify", basically an app for your p

Re:Don't do banking on your phone.

[xwin]

It is much worse on the phone than on the PC. I can see all processes running on my PC. I can examine certificate that bank website uses to communicate with my browser on PC. On the phone it is very hard to do any of these things. I use password manager with long passwords on PC so I don't have to remember them. I tried password managers on the phone and they are pain to use. I also can't easily loose my PC unlike my phone. Of course there are people who's computers are infested with malware but their phones are the same way. If you have a little common sense and run antivirus and adblocker on PC, it is quite hard to infect. My 15 year-old is using PC since she was very young and never had any viruses or malware. You just teach them not to click on every link that they see. PC while being open environment is much easier to secure than the phone. You have no control over what is running on your phone - operators send all kinds of garbage all the time. As for second factor, very few banks use acceptable second factor. Most use SMS which is proven not to be secure. If you are forced to use SMS, do yourself a favor and use Google Voice for this. At least you can secure google account with good second factor. It is also impossible to hijack the SIM from your google voice account.

Re:

[Rockoon]

It is much worse on the phone than on the PC.

All your reasons, plus the pc actually gets turned off from time to time, while the phone never does. The phone is a 24/7 attack surface where the attacker doesnt have to bother surviving a reboot.

Re:

[rtb61]

They have video cameras, so all to easy, the bank should call the customer and ask them to look at their phone, as they type in the password. Compressed video taken and tied to the password and check by Bank AI as being the person, alive, in motion and saying what ever they have been told to say as in ask a question and wait for the verbal response. The same could be done for phone credit purchases, simply verify the identity of the person using that phone. Install app, attempt to make transaction and the b

Re:

[AmiMoJo]

I've seen banks do that. Large transaction was queried when I sold my car, they used the app to do a video chat and confirm some details.

Re:

[AmiMoJo]

How will seeing all running processes on your PC reveal the fact that your browser is running malware?

Anyway, that's not an option for most people, they don't know what a process is. For them a phone is the safest environment. Protected with biometrics, Android provides an API for verifying the integrity of the OS and built-in anti-malware, as well as heavy sandboxing and secure storage by default.

In fact it's rare for the phone to get hacked in a way that affects banking, far more common is for someone to

Re:

[MrL0G1C]

Protected with biometrics, Android provides an API

And has that stopped malicious apps from regularly appearing on the app store, no. Biometrics are besides the point here because the phone's are clones running on a PC and unlocking a phone screen is not very relevant as far as I know.

I wouldn't touch phone banking with a barge pole.

And I do understand how knowing processes can alert one to some malware, although my guess is that some malware can hide in various ways such as pretending to be a driver etc. H

Re:Don't do banking on your phone.

[NotEmmanuelGoldstein]

... have proper 2FA.

Phone apps have 2FA: You have the phone holding the app don't you? Well, until you don't: Your phone is physically stolen or digitally stolen via an GPS/IMEI emulator.

It's worse: You have 2FA until you don't, too. A lot of apps demand to be always on. This is using geolocation data to 'check' the right person has the authentication device (phone) instead of demanding a password. (No longer a 2FA protocol.) It means that a freshly stolen phone is vulnerable to attack: No password required, police and cyber-criminals love that 'authentication'.

That's why on-phone apps are bad news.

Re:

[Carewolf]

Yeah. I have an app that triggers to verify banking I do on the PC. That seems safe. Not sure what it can do on its own, or how that would _ever_ be 2FA.

Re:

[NotEmmanuelGoldstein]

... be 2FA.

Your app is the 2nd factor, which is good. Putting the password and 2nd factor on the one device, which is what I described, is like putting your EFTPOS PIN on your credit card.

Re:

[sound+vision]

If your "second" factor is SMS, email, or authentication app, and any of that is on your phone - the phone is still a single point of failure.

Re:

[Kisai]

If 2FA is an app on your phone AND you use the same phone, it's going to be a problem. The other side of this problem is that most banking apps, expire the sessions too quickly to make the app's 2FA anything but infuriating.

The strategy that would probably solve this would be to have a biometric token that the bank holds that only the device it was made on can understand.

 

Doesn't help

[WoodstockJeff]

I used to have zero banking tied to my phone. That didn't stop someone from accessing my one of my accounts through information they'd stolen from a vendor. They were able to set up mobile banking and switch control away from me, because there wasn't any previous mobile banking.

Prior to the incident, I'd been in the bank to make a payment. "Oh, you can do that through the mobile app!"

After I explained that, if someone stole my phone, how would they authenticate it was me? "We'd send a text message to notify you of the activity."

"And where would that text message go?"

"Oh."

Banks are anxious to have people on MB, and claim it is more secure. Proof that it isn't doesn't matter.

Re:

[kurkosdr]

If don't have your main phone fingerprint-secured (or passworded) and encrypted, you are doing it wrong. Also, try to insert your SIM card (if any) onto another phone. If a PIN prompt doesn't appear, you are also doing it wrong.

Phone should have hardware protected Private Key

[aberglas]

That never leaves the phone. Bank then gets things signed by it.

Means that simulators will definitely not work. You would need to hack the actual phone and make it do the transaction.

PC + SMS is safer than just phone because there are two somewhat independent things that need hacking. But the PC is dead as far as most people are concerned.

The most idiot thing is that Banks (and other sites) ask for you to send you password to them directly, rather than proof of possession. If they used the old digest authentication it would be safe against phishing ... if digest authentication was fixed.

Re:

[amorsen]

SMS can be bypassed by organized crime. They pretend (to SS7) that the victim phone has roamed onto their network.

Regular crooks go to a store and tell the staff that their phone was stolen, now they need a new SIM-card for their old number.

Then there are all the phones with vulnerable radio chipsets and the ones that are infected with malware and the ones which are too "old" to get security updates.

Re:

[Ol Olsoc]

I used to have zero banking tied to my phone. That didn't stop someone from accessing my one of my accounts through information they'd stolen from a vendor.

Remember, we users are browbeat about our insecure habits, while retailers give out millions of people's information for free to the hackers. To me, it seems like the individual user as a target is a waste of time. The hacked businesses are a victim rich environment.

Re:

[antdude]

"And then?" after "Oh."

Re:

[TeknoHog]

Here in Finland, most banks recommend using a mobile app. The usual web interface is still there, but it's a little cumbersome because of the SMS 2FA for every little thing (not just paying bills), and they say the mobile app will be much simpler to use. They've also shoved contactless payment down our throats.

I've asked to disable the contactless payment feature in my card, though it's probably not really secure without some hardware hacking. I've also never owned a "smart"phone (I don't count the N900

Re:

[ewibble]

I asked my bank to disable contact less payments on my card they wouldn't so I disabled it with a hole punch through the antenna.

Re:

[Misagon]

Over here in Sweden, it is de-facto compulsory.

Not by parliamentary decision. The banks just decided to build it and require logins through it ... and the authorities came after -- because FOMO.
Not only is the system tied to your bank account, it is also used for official business, to see your medical stats online and ask for a renewal on your prescriptions, to get unemployment benefits, etc. etc.
The other day, there was a proposal to require for accessing pr0n sites, so that children wouldn't ...
Which mean

Re:

[gweihir]

It's a horrible idea, and you're asking for trouble if you do. Never install an app from your bank on your phone.

All that completely misses the point. Mobile devices are not a problem. Bad or missing 2FA is the problem.

Re:

[Ol Olsoc]

It's a horrible idea, and you're asking for trouble if you do. Never install an app from your bank on your phone.

All that completely misses the point. Mobile devices are not a problem. Bad or missing 2FA is the problem.

Even at that - millions of peoples data is given away for free to hackers, and these bad guys have bypassed 2FA. I mean, I'm not a bad guy, but if I ws, I would go after the low hanging fruit like businesses.

Re:

[Kisai]

Don't bank on Android devices, Period.

All these banks have switched to mobile-first experiences, but they default to having no 2FA and only using the device-sided biometrics.

And of course, they all look the same because they're lilkely using the same middleware.

Re: Don't do banking on your phone.

[Pinky's Brain]

It's obviously worse on Android, to the point criminals are unlikely to bother with iPhone. But there's still exploits on the iphone and they can just mitm an authentication without having to hack the secure enclave.

Re:

[JustAnotherOldGuy]

^^^^THIS

I never put a banking app on my phone and my wife is absolutely prohibited from doing it either. It's like an open door to your bank account.

If we're going to be robbed, it's going to be the old-fashioned way: by attorneys or guys in ski masks.

Oh great

[DontBeAMoran]

Next up, clueless politicians pushing laws to outlaw all emulators.

Inevitable

[StormReaver]

This was inevitable. Using a mobile device for financial activity is profoundly stupid. Even stupider than using Windows for financial activity. Okay, maybe they are equally stupid.

We know that ALL mobile devices are horrendously insecure, and defective by design. Most of us have been saying that for many years. I'm not sure who I think it more responsible: the victim who knowingly broadcasts their information to the thieves (and that's what you're doing when you use your mobile device), or the banks who encourage the victim to broadcast their information to the thieves by tailoring their websites for mobile use. Considering that the banks are supposed to have excellent domain knowledge about financial security, though, I think they should bear all of the responsibility.

I get shivers down my spine just having a contact list on my phone, as I know that these proprietary blobs are siphoning that data to somewhere, and that's all I'm willing to have on my phone. Everything important is kept far, far away from them.

Re:

[HipHopAnonymous]

Why have one? Seriously, why have a mobile device at that point? If you're barely willing to have a contact list on your phone, why have one? Keep an old school Nokia 3310. Or get a phone that you flash a completely open-source, no Google BS, Security-focused ROM to and software that allows you to see everything that's going on on your phone. You wouldn't kneecap your computer because it had Windows on it, you'd turn it into a device with utility by being mindful of the platform you install, so why not do t

Re:

[quonset]

Keep an old school Nokia 3310.

Nokia 3310's work on 3G which is going away. AT&T has given their customers 2 years (1.5 now) to upgrade to a phone with at least 4G. Other mobile services have already cut off 3G service.

I saw the article earlier today but can't find it, wherein trying to find inexpensive cars ($20K or below) are becoming more difficult to find due to a) manufacturers shifting to higher profit SUVs and the like and b) all the crappy software and accessories built into cars.

The same with

Re:

[gweihir]

This was inevitable. Using a mobile device for financial activity is profoundly stupid.

Nope. Using a mobile device for financial activity without a secure 2nd factor is profoundly stupid. With that 2nd factor it is perfectly fine.

Re:

[aaarrrgggh]

There is no practical alternative if you actually need to do any amount of non-trivial banking. I unfortunately need to manage a couple dozen or so different bank accounts, across 6 institutions and for personal and two other organizations. ...And then there are the credit cards. Most of the accunts have almost nothing in them, but they each serve a purpose.

What blows my mind though is the current rash of banks that have apps that will link to other bank’s credentials! What would otherwise be

All Android devices

[SuperKendall]

I think it has to be noted here, these were ALL Android devices. There are also Apple simulators, but none were used and therefore would not have matched with apple devices ID's (if they had any).

this is why I strongly recommend never to let a non-technical user buy an Android phone. There is a much higher chance and some point that device will be compromised and then your password and account info scraped.

While not impossible on IOS you are a lot safer from such attacks.

Re:

[Luckyo]

On the other hand, iphone hacking is far more valuable specifically because those are overwhelmingly high value, low tech skill targets that are on the platform. Which is why such hacks are used for more than just grab a few millions from a bank, a few hundred from each compromised account.

And compromised in this case means a lot. Straight from the story, what these people had from the user's side to initiate the attack just to steal money below bank's "stop transaction and doublecheck" limit:

>Access to

Re:

[Actually, I do RTFA]

as these are indeed luxury items held by mostly tech illiterate people.

Is this true? iPhones that run the latest software are far cheaper than comparable Android phones. And most people I know with iPhones are techy. I hear SV techies all use iPhones.

Re:

[Luckyo]

Last time I checked, this was a common definition of iphones, and why their exploits were considered particularly valuable both in white and black hat crowds.

Re:

[Actually, I do RTFA]

I thought the exploits were more valuable because they were rarer. Certainly, I haven't noticed any correlation between education or wealth, nor seen any published. I've seen evidence that iPhone users are more willing to accept paid-for apps and less willing to accept ad-based apps.

Re:

[Luckyo]

>I thought the exploits were more valuable because they were rarer.

A fairly popular myth, just like "apple makes great products from engineering perspective". All of this is based on marketing and status. Macbooks not having basic spill protection a decade after advanced spill protection was a norm in cheapo chinese no name laptops is a good example of reality, just like the fact that iphone hacks are about as common as android ones.

Re:

[Actually, I do RTFA]

I mean, the hack-to-own prizes are much higher for iOS (where it's a technical challenge), the CVE has less than half the exploits for iOS than Android and a 6 year old apple phone would have gotten a security push within a week of that exploit being discovered last week. So... yeah, iPhones exploits in general, and those that can be exploited in the wild in particular, are much rarer..

Macbooks are not iPhones and waterproofing is totally unrelated to device security.

Re:

[Luckyo]

Hack to own prizes are far too low to give up high value exploits. As I explained above, iphone exploits are definitionally much higher value than android exploits.

Put two and two together.

Re:

[Guppy]

If you're an iphone holder, you're more valuable than just skimming you for a couple of hundred bucks, as these are indeed luxury items held by mostly tech illiterate people. And a lot of high value targets (politicians, CEOs, high level bureaucrats) have them as a status symbol.

Much as we slag on Apple for using locked components to break right-to-repair, the possibility of a hardware-based attack on a CEO or government official should not be discounted, either.

Re:

[gweihir]

Spoken like a true fanboi. Of course, your statement misses the problem entirely. The problem is people doing banking on their phones with insecure or no 2nd factor.

FIDO

[baomike]

Oh where or where has my little dog gone?

And then there are banks that use 2FA...

[gweihir]

And are hence not affected at all. The worst ones are, of course, that pretend to use 2FA, like allowing text-messages as 2nd factor on the same pone that you log in via browser or app. But done right, this is minimally more effort bit curbs this crap right at the beginning.

I must protest!

[bob4u2c]

An Emulator Farm is not Good or Evil. We must stop applying labels to these poor emulators who are just trying to earn a living.

If your are looking for fault, try the bank that allowed multiple requests per second from the same network address for multiple accounts. A good security algorithm will detect this and honey pot off the calls, or just deny all requests for some period of time. Also SMS, seriously! A code transmitted in plain text used as a secure verification token, who ever thought that wou

SMS

[backslashdot]

Given how easy SIM swapping is to pull off, SMS for Multi-factor authentication is just stupid. Add to that the fact that it's unencrypted and often times stored in plain text on telco servers. Reference: https://techcrunch.com/2018/11... [techcrunch.com]

SMS is massively insecure and can't be fixed. The sooner the telcos get rid of it the better, though they will probably have to be pushed to it by the FCC. People should switch to something like with end to end encryption like Signal or even WhatsApp.

A dig at Jailbreakers hidden in there

[jelwell]

"Avoid jailbreaking or rooting any of your devices."
Ah yes, don't jailbreak your phone because it's clearly so secure that thieves will be unable to jailbreak it themselves. Little does the author know that if you do NOT jailbreak your phone, all you're doing is leaving it open for someone else to be able to jail break it. The next bullet point is telling:
"Ensure all system updates and app updates take place on time."
Ah yes, you didn't jailbreak your phone? So your phone is insecure by design? Well, make sure to grab that next OS update before the hackers have a chance to jailbreak it for you.
If you think jailbreaking my phone so I can load a custom firewall application makes me MORE at risk for bank theft, then you're a fan of security through obscurity. Unfortunately thieves like these ones see right through your obscurity. SMS network anyone? The only reason it's considered "secure" is because it's a federal crime to snoop even though it's pretty trivial.

Alerts

[stikves]

I have alerts for large transfers on my accounts. I get an email and also a mobile notification. Every time I make an ATM withdrawal, or transfer to a new account I get that alert. It is not foolproof, and it will not *prevent* an attack, but at least it will give a lead time to counter.

If you have accounts on device, add fingerprint verification.
If not, you might actually benefit from adding them. If paranoid, use a second phone for that purpose, and keep it in a safe place.

Re:

[Frederic54]

The first thing the hacker does, when he enters your bank app, is to disable those alerts.

Re:

[stikves]

Yes, but you get an alert for that, too.

I just tried this on my BofA account. It first required a "safe pass" code to disable the alert, and then proceeded to send me an email telling that "Your automatic alert was turned off".

At least for one bank (and probably for others) disabling alerts also cause an alert.