IBM researchers in Israel expose a huge scam: Hackers used software impersonating real smartphones to take over bank accounts in Europe and the US. On the way they forged GPS locations and bypassed two-step authorization verification.
It is as if the Russian cyber attack, which apparently managed to gather significant information from the computer servers of the most sensitive government authorities, was not enough. This time from an economic motive, which managed to empty tens of millions of dollars from the bank accounts of thousands of smartphone owners in Europe and the United States.
This scam goes beyond the known cyber hacks. According to the testimonies of the research team led by Shachar Gritzman from Trusteer, an Israeli start-up acquired in 2013 by the technology giant IBM – this is unlike anything they have ever seen: professional and organized work. The crooks used emulators – software that mimics the properties of mobile devices of all kinds for testing applications.
For the entire move, the hackers were required to obtain both real, authentic details of existing devices, and full details of the bank account holders. Indeed, in the first stage they automatically collected device characteristics, most likely from previously hacked device databases. These are details like brand, operating system version, ID number (IMEI) and more. In the second stage, each emulator has been carefully set up to “look” like a real device from the repository, or as a random new device. In some cases, they used about 20 such emulators to impersonate about 16,000 real telephones. A single emulator, it turns out, can counterfeit more than 8,100 devices.
At the same time, the scammers obtained usernames and passwords – probably from cell phones previously infected with malware or those collected through phishing (collecting sensitive information by impersonating a real site). When they had it in their hands, they ran banking apps on the emulators – as if they were real cell phones – entered their names and passwords, and transferred money from their owners’ accounts.
According to Limor Kesem, a senior analyst at IBM’s security division, the entire process was automated and computerized, using applications developed specifically by the crooks. According to carefully constructed automated scripts, the applications calculated each user’s account balances, making sure to make transfers but only in amounts that should not light a red light on the bank’s computers.
To circumvent the complex protections used by banks to prevent such attacks, the thieves not only used “device identifiers” according to the specifications they had, they also forged the GPS locations typical of each account holder’s day-to-day use. They even managed to overcome the two-step authentication verification process, in which an SMS is sent to the user with a code to verify his identity; They had access to these messages as well. IBM researchers warn that such sophisticated attacks are possible on any application that offers online access to customers, especially financial institutions, anywhere in the world. Even when it comes to a transaction verified by a code sent via SMS or by a recorded voice call or email.
The attacks were carried out in waves, and after each of them the hackers erased all possible traces and prepared for the next attack. After each use, the device details were changed. Thus, even when a bank blocked an “instrument” – the attackers used other instrument details. However, in some cases they have “created” a random smartphone, which will look like a customer is using a new device to access his account.
Learn from mistakes
Trusteer researchers also found that to ensure that the system they created worked as required, the hackers programmed for themselves a computerized “training environment” that eroded the applications of the banks they wanted to defraud. They approached the execution only after they were satisfied with the results. The system they created allowed them to rob millions of dollars within a few days from any bank.
To make sure everything works as planned during the fraud attempts, the attackers used connection techniques that intercepted the communication with the banks’ application servers and closely monitored how they reacted to the connection attempts from the simulated devices. The tracking allowed them to change tactics in real time and get warning signs in case something went wrong. When such disruptions were discovered, they simply rushed to stop the operation and erase traces. Investigators found that the hackersbecame more sophisticated from attack to attack, learning from past mistakes.
By Kesem, the level of sophistication revealed here is quite rare in the field of cybercrime, and it is likely that this is an organized crime group that benefits from the services of skilled developers and people proficient in fraud and money laundering. To date, such gangs have been known only in the field of computer hacking.
Kesem: “This is a completely automatic crime, committed at the push of a button, after very careful preparatory work, and also takes into account new security measures. We are facing a new era, which we were afraid of. Years have passed and nothing has happened. Now we see the magnitude of the threat”.
By Israel Walman (Hebrew), December 22, 2020, published on Ynet