16K Mobile Bank Accounts Hacked-Millions Stolen In Massive Cyber-Heist
By: Jim Stickley and Tina Davis
March 19, 2021
Gone is the time when robbers had to pull-off bank heists in person. Hiding behind the anonymity of the internet are the bank robbers of today who can clean out a bank account in seconds without leaving their sofa. Case in point, a massive hacking operation recently stole millions of dollars from over 16,000 bank accounts. The criminals hacked mobile devices with a stealthy plan allowing them to create fraudulent wire transfers from the victim’s bank accounts to their own. Researchers from IBM Trusteer discovered the thefts, saying it took just a few days for the crooks to drain the many bank accounts.
According to Trusteer, financial fraud on this scale using mobile devices had yet to be seen, making it a unique and effective threat that could easily happen again. They found the cybercriminals used a number of different tactics allowing them to ultimately intercept the victim’s banking SMS security code, also called 2FA (two-factor authentication), on a mobile device they had compromised. Armed with stolen security codes, the hackers entered and drained numerous bank accounts at a time, sending the fraudulent wire transfers to their own accounts.
Duplicating Mobile Devices
Trusteer finds the criminals used mobile device emulators to overtake more than 16,000 devices. In one case, a single emulator compromised over 8,100 devices. Mobile emulators use software that can spoof a device, allowing it to overtake the targeted device and run it remotely from a laptop or computer. Many app developers use emulators to test their software before making it publicly available. In this case, the device emulators provided account details and actions used to eventually steal the 2FA code or enter using stolen passwords and other account credentials.
It’s believed much of the account information was first compromised using email phishing, a tried and true way to fall into a web of credential theft and identity fraud. Individuals unaware of anti-email phishing tactics and how to spot them are cybercrimes waiting to happen. Since common sense is the first part of catching email phishing, reviewing how to apply it is always a smart and safe idea.
Email Phishing Cyber-Smarts
- An email subject line that elicits an immediate response from the recipient is always suspect. Topics claiming there’s a problem with an account (in particular a financial account), or that you’ve won a prize, or a delivery is being upheld pending further information from you, and many more are all red flags for email phishing.
- Generic greetings, typo’s, and bad grammar in the email content are always a phishing red flag.
- Never share personal information, especially financial, in an email, over the phone, or in an SMS.
- Use strong passwords and multi-factor authentication (MFA) or 2FA whenever possible.
- Regularly monitor your financial transactions. If you see something suspicious, alert your bank immediately.
- If you don’t need to access your credit reports, consider putting a freeze on them. It’s easy to unfreeze them temporarily, if necessary.