Adversary Intelligence
7
mins read

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

Noel Varghese
June 26, 2023
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Pavan Karthick M

Category:  Adversary Intelligence

Industry: Banking & Finance

Motivation: Profit

Region: Global

Source*

C - Fairly Reliable

3 - Possibly True

Executive Summary

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. Conducting individual live selfie verification is a common method to conduct KYC (Know Your Customer) verification and verify if the data points from registering customer matches with the identity picture present on the legal identification document such as SSN, Drivers license, Aadhar card, PAN card and more.

In the evolving landscape of digital finance, threat actors are increasingly exploiting open-source emulators and virtual cameras to bypass KYC (Know Your Customer) verification processes on fintech platforms. This exploitation leads to the creation of fraudulent accounts, posing substantial financial and reputational risks. 

While we haven’t noticed any active threat actors actively targeting the Indian sub-region, the current step-by-step guide targeted Revolut - a United Kingdom-based financial technology company that offers mobile-based banking services and money transfer services. Additionally, these services are catered toward brands operating in the Cryptocurrency Industry as well, such as Gemini and LiteBit

The potential for these methods to facilitate money laundering activities is a serious concern. For organizations operating in the Banking, Financial Services, and Insurance (BFSI) sector, understanding these threats is of paramount importance.

Possible mitigation to prevent abuse are:-

  • Using Robust facial recognition algorithms to distinguish real and fake images/videos
  • Using Behavioral Analysis and Anomaly detection by analyzing behavior patterns and other contextual data such as Root detection and virtual environment detection

The implications of these threats are far-reaching, affecting not only the security of financial transactions but also the trust that customers place in these platforms. 

Industry Context

Biometric Verification has been a game-changer for customers to comply with KYC regulations. These have been imposed by Banks, Crypto, and other Fintech platforms. Video KYC, Selfie Verification are the norm now in this digital world. It can be done without the need for the customer to physically visit the bank/ authorized center for each and every KYC procedure. The following table mentions entities that have Selfie Verification enabled. Once it is completed successfully, the customers can commence operations for trading/selling on the platform.

Entities who have Digital Verification Enabled

Revolut

Bitvavo

Gemini

Bitonic

LiteBit

Bitstamp

Information from the Underground Forums

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. While monitoring discussions on other cybercrime forums we discovered another set of  using the same software to bypass Selfie verification to generate Revolut accounts.

Figure 1 - The tutorial posted on cybercrime forum frequented by cybercriminals focussed on Social engineering and Phishing


  • Revolut is a UK-based financial technology company that offers mobile-based banking services, including money transfers, currency and cryptocurrency exchange, budgeting tools, and more. It operates digitally, providing users with a convenient, app-based approach to personal and business banking.
  • Drop Accounts on Banking / Payment applications, are commonly requested and purchased via cyber criminals, to facilitate the transfer of drop amounts, often sourced from illegitimate sources.
  • The implementation of a verification process is a critical measure intended to minimize the prevalence of automated or malicious accounts, as well as to curb fraudulent activities. This step is essential in establishing Know Your Customer (KYC) protocols, which ensure the legitimacy and integrity of users on the platform.
  • Identity verification through selfies has become a widespread practice across various digital platforms, including financial services, social media, and online marketplaces. Despite its widespread adoption, this method isn't foolproof and can be susceptible to bypassing unless appropriate security measures are implemented.
Figure 2 - Forum Post where the tutorial was abused to bypass Revolut’s KYC


  • The threat actor published the tutorial, which named the following apps that can be abused to pass the verification process on Revolut:
  • NOTE Studio 27.2.4
  • OBS Virtualcam Plugin
  • Bluestacks from version 5.10 
  • The above mentioned software are used for various purposes:
  • NOTE Studio - Open Source Suite for video recording and live streaming, often used by content creators for platforms like Twitch and YouTube. It allows users to capture, composite, encode, and stream video content efficiently
  • OBS VirtualCam Plugin - for setting up a virtual camera, which will capture a snapshot of an identifiable face that the actor would like to use, from a dummy video that is provided as input. 
  • Bluestacks - This is an emulator software that can be used to install and test android applications in a portable manner.

Verification Process Through Emulator

The selfie verification process takes place once the phone number is verified via OTP, with the account credentials set by the customer. Since the verification process is abused via desktop using an emulator, the app can possibly get tricked into accepting a pre-manipulated image as input to complete the verification process.

The same verification method can be abused to generate accounts, in bulk on banking platforms and finance that have enabled KYC.

Figure 3 - Picture used for verification

References

Appendix

Figure 4 - Previous Discussions surrounding Facial Recognition Bypass for creation of Revolut Accounts

        Figure 5 - A Similar advertisement was observed on a Russian-speaking cybercrime forum for bypassing verification, which has been observed to be impacting the Crypto Industry and Foreign Banks

 Figure 6 - Discussion on an Underground Forum indicates previous exploitation of the selfie verification process for Revolut

Author

Noel Varghese

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Scam
October 25, 2024

The BRICS-Bait Rug Pull – How Scammers Use International Credibility to Deceive Investors

CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)

Blog Image
Advisory
Breach
July 19, 2024

WazirX Incident: Explained

WazirX, a leading Indian cryptocurrency exchange, faced a major security breach on July 18, 2024 resulting in significant financial losses of over $200 Million. Dive into our detailed analysis to uncover how the attack unfolded, potential culprits, and the broader implications for WazirX users.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

7

min read

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

Authors
Noel Varghese
Co-Authors
Pavan Karthick M

Category:  Adversary Intelligence

Industry: Banking & Finance

Motivation: Profit

Region: Global

Source*

C - Fairly Reliable

3 - Possibly True

Executive Summary

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. Conducting individual live selfie verification is a common method to conduct KYC (Know Your Customer) verification and verify if the data points from registering customer matches with the identity picture present on the legal identification document such as SSN, Drivers license, Aadhar card, PAN card and more.

In the evolving landscape of digital finance, threat actors are increasingly exploiting open-source emulators and virtual cameras to bypass KYC (Know Your Customer) verification processes on fintech platforms. This exploitation leads to the creation of fraudulent accounts, posing substantial financial and reputational risks. 

While we haven’t noticed any active threat actors actively targeting the Indian sub-region, the current step-by-step guide targeted Revolut - a United Kingdom-based financial technology company that offers mobile-based banking services and money transfer services. Additionally, these services are catered toward brands operating in the Cryptocurrency Industry as well, such as Gemini and LiteBit

The potential for these methods to facilitate money laundering activities is a serious concern. For organizations operating in the Banking, Financial Services, and Insurance (BFSI) sector, understanding these threats is of paramount importance.

Possible mitigation to prevent abuse are:-

  • Using Robust facial recognition algorithms to distinguish real and fake images/videos
  • Using Behavioral Analysis and Anomaly detection by analyzing behavior patterns and other contextual data such as Root detection and virtual environment detection

The implications of these threats are far-reaching, affecting not only the security of financial transactions but also the trust that customers place in these platforms. 

Industry Context

Biometric Verification has been a game-changer for customers to comply with KYC regulations. These have been imposed by Banks, Crypto, and other Fintech platforms. Video KYC, Selfie Verification are the norm now in this digital world. It can be done without the need for the customer to physically visit the bank/ authorized center for each and every KYC procedure. The following table mentions entities that have Selfie Verification enabled. Once it is completed successfully, the customers can commence operations for trading/selling on the platform.

Entities who have Digital Verification Enabled

Revolut

Bitvavo

Gemini

Bitonic

LiteBit

Bitstamp

Information from the Underground Forums

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. While monitoring discussions on other cybercrime forums we discovered another set of  using the same software to bypass Selfie verification to generate Revolut accounts.

Figure 1 - The tutorial posted on cybercrime forum frequented by cybercriminals focussed on Social engineering and Phishing


  • Revolut is a UK-based financial technology company that offers mobile-based banking services, including money transfers, currency and cryptocurrency exchange, budgeting tools, and more. It operates digitally, providing users with a convenient, app-based approach to personal and business banking.
  • Drop Accounts on Banking / Payment applications, are commonly requested and purchased via cyber criminals, to facilitate the transfer of drop amounts, often sourced from illegitimate sources.
  • The implementation of a verification process is a critical measure intended to minimize the prevalence of automated or malicious accounts, as well as to curb fraudulent activities. This step is essential in establishing Know Your Customer (KYC) protocols, which ensure the legitimacy and integrity of users on the platform.
  • Identity verification through selfies has become a widespread practice across various digital platforms, including financial services, social media, and online marketplaces. Despite its widespread adoption, this method isn't foolproof and can be susceptible to bypassing unless appropriate security measures are implemented.
Figure 2 - Forum Post where the tutorial was abused to bypass Revolut’s KYC


  • The threat actor published the tutorial, which named the following apps that can be abused to pass the verification process on Revolut:
  • NOTE Studio 27.2.4
  • OBS Virtualcam Plugin
  • Bluestacks from version 5.10 
  • The above mentioned software are used for various purposes:
  • NOTE Studio - Open Source Suite for video recording and live streaming, often used by content creators for platforms like Twitch and YouTube. It allows users to capture, composite, encode, and stream video content efficiently
  • OBS VirtualCam Plugin - for setting up a virtual camera, which will capture a snapshot of an identifiable face that the actor would like to use, from a dummy video that is provided as input. 
  • Bluestacks - This is an emulator software that can be used to install and test android applications in a portable manner.

Verification Process Through Emulator

The selfie verification process takes place once the phone number is verified via OTP, with the account credentials set by the customer. Since the verification process is abused via desktop using an emulator, the app can possibly get tricked into accepting a pre-manipulated image as input to complete the verification process.

The same verification method can be abused to generate accounts, in bulk on banking platforms and finance that have enabled KYC.

Figure 3 - Picture used for verification

References

Appendix

Figure 4 - Previous Discussions surrounding Facial Recognition Bypass for creation of Revolut Accounts

        Figure 5 - A Similar advertisement was observed on a Russian-speaking cybercrime forum for bypassing verification, which has been observed to be impacting the Crypto Industry and Foreign Banks

 Figure 6 - Discussion on an Underground Forum indicates previous exploitation of the selfie verification process for Revolut