It’s time to forget everything you know about emulators and how they work. We recently discovered that fraudsters have started using emulators as browser add-ons. While there is nothing new about emulator-based attacks, fraudsters of all skill levels are now using these tools with increasing frequency. Typically emulators were used by tech-savvy fraudsters, our discovery proves that this is changing. Now it’s much easier for almost anyone to commit online fraud using an emulator.
|What we saw:||Anomalies in device behaviors|
|How we caught it:||Zero day emulator detection|
|Why you need to pay attention:||It's now even easier to scale up attacks like account takeover, new account creation and coupon fraud using emulators|
How We Discovered this Threat
Our system alerted us of an emulator based attack on one of our clients’ apps. It didn’t come as a surprise that this tool, disguised as android devices, was being used to perpetuate new account fraud. Using an emulator is an effective evasive technique for fraudsters when they want to avoid wasting time using different devices for the attack AKA it’s more efficient.
What did surprise us is that this emulator wasn’t a type that we had seen before, so we knew we had to dig a little deeper.
When we reverse engineered the data analysis of the alert, we discovered that this emulator was one that had not been installed on the fraudster’s computer: it was being hosted on a remote server and controlled by a browser add-on.
Zero Day Emulator Detection
Our Behavioral Biometrics solution includes a zero-day emulator detection model which allows us to pick up on potential device-based attacks regardless of how new they are. What sets this solution apart from other approaches is that it processes patterns of behavioral data to identify any anomalies in device behaviors. This includes, for example, how device sensors respond when a user presses or swipes on the screen.
The Rise of Emulators-as-a-Service Changes all the Rules
Once we had a better idea of what they were dealing with they turned to the dark web to determine the extent of this new threat vector. It became clear that unlike typical emulator-based attacks, we were seeing something that is far more systemized and large-scale.
The interesting thing to note is that there’s nothing illegal about an emulator. It is a legitimate tool that allows users to simulate a mobile device on their desktop. It all depends on how the emulator is used. If it’s being used on a gaming site, for example, it’s perfectly legitimate. But it’s suspicious when they’re used on retail and other e-commerce sites.
The fact that emulators are now so much easier to use means they’re going to become a growing threat, and I suspect they’ll become an essential part of every fraudster’s toolkit. Emulators are also likely to play a role in making crime-as-a-service (CaaS) more prevalent. The emergence of emulators-as-a-service is a telltale sign that the only way to curtail such threats is to increase awareness of them.
Screenshot: Browser based emulator being shared in a grey web forum. The post has 8 pages of responses.
Democratizing the Threat Landscape
Perhaps what’s most interesting about this new threat is that it suggests that the typical persona of a fraudster is changing. Gone are the days when to be a fraudster you needed to be as tech-savvy as you did a criminal mastermind. In a similar way to bots, where nowadays almost anyone can buy one, we’re seeing the same trend with emulators. This tool makes fraud more accessible and serves as a friendly gateway to this underground world. It also changes the business of online retail fraud. And increasingly this is a new and growing trend among fraud communities.
Emulators-as-a-service is a convenient introduction to online fraud for anyone curious enough to be exploring the dark web but lacking the technical know-how needed to execute an attack unassisted. Traditionally installing and running an emulator required a certain level of technical know-how. Now that emulators can be used as a browser add-on, they are easier than ever to use. In just a few clicks, the emulator can be added to a browser and is ready to use. Moreover, these emulators are almost undetectable which adds to their appeal.
Where to From Here?
This discovery is just another example of why fraud fighters are continually preaching about the importance of always being ahead.
To fight online retail fraud efficiently, we must focus on what we don’t know. Because the reality is that we all have fraud blindspots, and it’s only with the right technology that we can eliminate these vulnerabilities.