Executive Summary

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. Conducting individual live selfie verification is a common method to conduct KYC (Know Your Customer) verification and verify if the data points from registering customer matches with the identity picture present on the legal identification document such as SSN, Drivers license, Aadhar card, PAN card and more.
‍

In the evolving landscape of digital finance, threat actors are increasingly exploiting open-source emulators and virtual cameras to bypass KYC (Know Your Customer) verification processes on fintech platforms. This exploitation leads to the creation of fraudulent accounts, posing substantial financial and reputational risks.

While we haven’t noticed any active threat actors actively targeting the Indian sub-region, the current step-by-step guide targeted Revolut - a United Kingdom-based financial technology company that offers mobile-based banking services and money transfer services. Additionally, these services are catered toward brands operating in the Cryptocurrency Industry as well, such as Gemini and LiteBit

The potential for these methods to facilitate money laundering activities is a serious concern. For organizations operating in the Banking, Financial Services, and Insurance (BFSI) sector, understanding these threats is of paramount importance.

Possible mitigation to prevent abuse are:-

Using Robust facial recognition algorithms to distinguish real and fake images/videos
Using Behavioral Analysis and Anomaly detection by analyzing behavior patterns and other contextual data such as Root detection and virtual environment detection

The implications of these threats are far-reaching, affecting not only the security of financial transactions but also the trust that customers place in these platforms.

Industry Context

Biometric Verification has been a game-changer for customers to comply with KYC regulations. These have been imposed by Banks, Crypto, and other Fintech platforms. Video KYC, Selfie Verification are the norm now in this digital world. It can be done without the need for the customer to physically visit the bank/ authorized center for each and every KYC procedure. The following table mentions entities that have Selfie Verification enabled. Once it is completed successfully, the customers can commence operations for trading/selling on the platform.

Entities who have Digital Verification Enabled
Revolut	Bitvavo
Gemini	Bitonic
LiteBit	Bitstamp

‍

Information from the Underground Forums

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. While monitoring discussions on other cybercrime forums we discovered another set of using the same software to bypass Selfie verification to generate Revolut accounts.

*Figure 1 - The tutorial posted on cybercrime forum frequented by cybercriminals focussed on Social engineering and Phishing*

Revolut is a UK-based financial technology company that offers mobile-based banking services, including money transfers, currency and cryptocurrency exchange, budgeting tools, and more. It operates digitally, providing users with a convenient, app-based approach to personal and business banking.
Drop Accounts on Banking / Payment applications, are commonly requested and purchased via cyber criminals, to facilitate the transfer of drop amounts, often sourced from illegitimate sources.
The implementation of a verification process is a critical measure intended to minimize the prevalence of automated or malicious accounts, as well as to curb fraudulent activities. This step is essential in establishing Know Your Customer (KYC) protocols, which ensure the legitimacy and integrity of users on the platform.
Identity verification through selfies has become a widespread practice across various digital platforms, including financial services, social media, and online marketplaces. Despite its widespread adoption, this method isn't foolproof and can be susceptible to bypassing unless appropriate security measures are implemented.

*Figure 2 - Forum Post where the tutorial was abused to bypass Revolut’s KYC*

The threat actor published the tutorial, which named the following apps that can be abused to pass the verification process on Revolut:

NOTE Studio 27.2.4
OBS Virtualcam Plugin
Bluestacks from version 5.10

The above mentioned software are used for various purposes:

NOTE Studio - Open Source Suite for video recording and live streaming, often used by content creators for platforms like Twitch and YouTube. It allows users to capture, composite, encode, and stream video content efficiently
OBS VirtualCam Plugin - for setting up a virtual camera, which will capture a snapshot of an identifiable face that the actor would like to use, from a dummy video that is provided as input.
Bluestacks - This is an emulator software that can be used to install and test android applications in a portable manner.

‍

Verification Process Through Emulator

The selfie verification process takes place once the phone number is verified via OTP, with the account credentials set by the customer. Since the verification process is abused via desktop using an emulator, the app can possibly get tricked into accepting a pre-manipulated image as input to complete the verification process.

The same verification method can be abused to generate accounts, in bulk on banking platforms and finance that have enabled KYC.