Co-authored by Shir Levin
The IBM Security Trusteer team just battled an interesting case of account takeover (ATO) fraud that targeted end-users of a large retail bank application in Japan. This application normally deals with around 200 fraud sessions a month. Last month, that number shot up to more than 600 confirmed fraud sessions.
After analyzing the real-time alerts sent to the bank as each account was compromised, Trusteer was able to identify virtual-machines and risky devices as the cause of the severe ATO spike. The at-risk devices included ones that were new to the account with fraud-correlated attributes. Trusteer’s Japan team reached out to the customer and concluded the client was suffering from credential theft facilitated by a large-scale SMS phishing attack
Next, the phishing alerts were evaluated in the customer’s Trusteer Management Application (TMA) console. The alerts showed that newly setup, fake banking websites which used elements of the targeted bank’s source code were found to be the cause of the phishing attack.
All ATO attempts that followed were quickly identified with:
- Virtual machine detection
- Device reuse identification
- Risky device usage
One physical device accessed more than 150 end-user accounts, changing its connection attributes to avoid detection. More than 60 percent of the fraudulent attempts were identified with behavioral biometrics, based on the key-stroke patterns of users.
We were excited to help this client detect the source of the problem and remediate it quickly. If you have any questions for our team, please reach out to Eran Coster (firstname.lastname@example.org) or Shir Levin (Shir.Levin@ibm.com).