FREMONT, CA: Limor Kessem, an executive security consultant at IBM Security, said that although the first wave of attacks using these mobile emulators has been stopped and the banks that have been hacked have been notified, the second wave of attempts may already be underway.
Once the attackers compromise the target device (using phishing emails or otherwise spreading malware), they collect information such as the victim's bank account username and password, device identifier and SMS message.
According to IBM, the attacker added this information to the database provided to the mobile emulator, and the database then began to trick legitimate devices. Some details used to imitate the device include the operating system version used by the device and the unique international mobile device identification number for each mobile phone.
According to the report, attackers can enter bank account credentials into the app from there and start generating fake money orders or use other means to deplete the account. Hackers monitor the progress of each attack, make adjustments and terminate transactions (if they find that the bank has probably detected the attack).
In order to bypass the bank’s security features used to protect customers, the emulator spoofed the GPS location. According to the report, they then connected to the account through a matching VPN service. Attackers can also bypass protective measures, such as multi-factor authentication, because they already have access to the victim's SMS messages.
The IBM report states that whenever the emulator successfully spoofs the device and uses it to compromise the account, the spoofing device is discarded and replaced by another spoofing device, thus starting the attack cycle. In some cases, the attacker made the bank discover that the customer was trying to access the account from the new device, which helped to further deceive the security protection measures.
IBM researchers found that a single emulator can trick more than 8,000 devices in a short period of time. Kessem pointed out that access to mobile emulators is easy and cheap.