Fraudster’s special efforts to hide from Empello – “APIEMPELLO”

In Empello by Empello

In the ever-evolving game of cat and mouse between Empello and the fraudsters we aim to deter, we made a stark discovery that shows how effective we are and the impact we have, as well as the measures fraudsters will take to avoid being detected by us.

FraudScan captures all URLs involved in a journey to a VAS service, and this is the same for journeys started by bots controlling handsets via apps containing malware.

In the example below we can see the very first URL called by the malware is – this is the command and control server where the logic behind malicious clicks is controlled from – the rest of the journey is determined from here:

By dissecting the packets from the command and control server we were able to discover exactly how the malware works to force subscriptions on consumers without their knowledge. From here we could track the name of the app and see how it systematically cycled through false IPs, user agents, and browser details, in its attempts to avoid detection. This was all happening in plain sight and exposed the IPs of the companies hosting the command and control servers where the fraud was perpetrated.

Once the fraudsters realised how much intel we could gain from their activity, and the power it gave us to prevent fraud, they encrypted all of the suspicious traffic behind a new command and control server, which they kindly named after us:

We are happy to take this as a compliment and find it a fitting tribute to our ongoing efforts against fraud – we are defiant and determined that it will not hamper our efforts to protect our carriers.

Luckily, all the intel is engineered into FraudStop, our payment page protection solution, in real time so the encryption efforts were too little, too late – this particular type of fraud will already be blocked for those clients that have FraudStop in place.

Take a look at one our audits to see how the malware is pushed to the phone, how it takes control of it, and how it hides itself from the user, then automatically signs the consumer up to VAS services: