IBM Security Trusteer

 View Only

Learn How Trusteer Solved a Large-Scale SMS Phishing Attack in Japan

By Eran Coster posted Wed July 22, 2020 12:34 PM

Co-authored by Shir Levin

The IBM Security Trusteer team just battled an interesting case of account takeover (ATO) fraud that targeted end-users of a large retail bank application in Japan. This application normally deals with around 200 fraud sessions a month. Last month, that number shot up to more than 600 confirmed fraud sessions.


After analyzing the real-time alerts sent to the bank as each account was compromised, Trusteer was able to identify virtual-machines and risky devices as the cause of the severe ATO spike. The at-risk devices included ones that were new to the account with fraud-correlated attributes. Trusteer’s Japan team reached out to the customer and concluded the client was suffering from credential theft facilitated by a large-scale SMS phishing attack


Next, the phishing alerts were evaluated in the customer’s Trusteer Management Application (TMA) console. The alerts showed that newly setup, fake banking websites which used elements of the targeted bank’s source code were found to be the cause of the phishing attack.

All ATO attempts that followed were quickly identified with:

  • Virtual machine detection
  • Device reuse identification
  • Risky device usage


One physical device accessed more than 150 end-user accounts, changing its connection attributes to avoid detection. More than 60 percent of the fraudulent attempts were identified with behavioral biometrics, based on the key-stroke patterns of users.  

We were excited to help this client detect the source of the problem and remediate it quickly. If you have any questions for our team, please reach out to Eran Coster ( or Shir Levin (

1 comment



Sun July 26, 2020 11:47 PM

Well done team!