Voice phishing, or vishing, is experiencing a moment of great relevance, with numerous active campaigns around the world that are ensnaring even experienced victims who may seem more knowledgeable, in some cases defrauding them of millions of dollars.
South Korea is one of the global regions most affected by the attack vector; in fact, a scam in August 2022 caused the largest sum ever stolen in a single vishing case in the country. This happened when a doctor sent 4.1 billion wonthat is $3 million, in cash, insurance, stocks and cryptocurrencies to criminals, demonstrating how much financial damage a vishing scam can inflict.
The sophisticated social engineering tactics of recent scams that are leading them to success include impersonating regional law enforcement officials, giving them highly convincing authority, according to Sojun Ryu, head of the Threat Analysis Team at the company South Korean cybersecurity S2W Inc. Ryu will hold a session on trends, “Voice Phishing Syndicates Exposed: An In-Depth Investigation and Exposure,” at the upcoming Black Hat Asia 2024 conference in Singapore. Vishing campaigns in South Korea, in particular, exploit specific cultural aspects that allow even those who seem unwilling to fall for such a scam to fall victim, she says.
For example, in recent scams cybercriminals impersonate the Seoul Central District Prosecutor’s Office, which “can significantly intimidate people,” Ryu says. By doing this, and by arming themselves with people’s personal information in advance, they manage to scare victims into making financial transfers – sometimes in the order of millions of dollars – into believing that if they don’t, they will face dire legal consequences.
“While their approach is not new – employing the long-standing tactic of impersonating a prosecutor – the significant sum of money stolen in this case can be attributed to the victim’s status as a high-income professional,” Ryu says. “It is a clear warning that anyone can fall prey to these schemes.”
Indeed, Vishing groups operating in Korea also appear to deeply understand the region’s culture and legal systems and “skillfully mirror the current social landscape in Korea, using individual psychology to their advantage,” he says.
Vishing Engineering: a combination of psychology and technology
Ryu and his fellow speaker at Black Hat Asia, YeongJae Shin, a threat analytics researcher and formerly employed at S2W, will focus their presentation on vishing that is happening specifically in their country. However, lately it seems that vishing scams similar to the ones that occurred in Korea are spreading around the world, leaving unfortunate victims in their wake.
Law enforcement scams appear to fool even the most savvy Internet users, as a New York Times financial reporter detailed in a report published as he lost $50,000 to a vishing scam in February. Several weeks later, the author of this article almost lost 5,000 euros due to a sophisticated vishing scam in which criminals operating in Portugal posed as both local and international enforcement authorities.
Ryu explains that the blend of social engineering and technology allows this contemporary vishing scams to victimize even those who are aware of the danger of vishing and how its operators work.
“These groups use a mixture of coercion and telephone persuasion to deceive their victims effectively,” he says. “Furthermore, malicious applications are designed to manipulate human psychology. These apps not only facilitate financial theft through remote control after installation, but also exploit the call forwarding function.”
By using call forwarding, even victims looking to validate the veracity of scammers’ stories will think they are dialing the number of what appears to be a legitimate financial or government institution. That’s because threat actors “smartly redirect the call” to their numbers, gaining victims’ trust and improving changes in attack success, Ryu says.
“Additionally, attackers show a nuanced understanding of local law enforcement’s communication style and required documentation,” he says. This allows them to expand their operations globally and even maintain call centers and manage a number of “mastered” mobile phone accounts to do their dirty work.
Updated Vishing toolboxes
Vishing operators also use other modern cybercriminal tools to operate in different geographic areas, including South Korea. One of these is the use of a device known as a SIM Box, explains Ryu.
Since scammers typically operate outside of their targeted geographic locations, their outgoing calls may initially appear to be coming from an international number or an Internet calling number. However, through the use of a SIM Box device, they can mask their calls, making them appear as if they were made from a local mobile number.
“This technique can trick unsuspecting individuals into believing that the call is coming from a domestic source, thereby increasing the likelihood that the call will be answered,” he says.
Attackers also often use a vishing app called SecretCalls in their attacks against Korean targets, which not only allows them to conduct their operations but also evade detection. The app has “undergone significant evolution” over the years, Ryu says, which is why it is “one of the most actively spread variants” of vishing malware.
The malware’s “sophisticated” features include detecting Android emulators, altering ZIP file formats, and dynamic loading to prevent scanning, Ryu says. SecretCalls can also overlay your phone’s screen and dynamically collect command and control (C2) server addresses, receive commands via Firebase Cloud Messaging (FCM), enable call forwarding, record audio, and stream video.
According to researchers, SecretCalls is just one of nine vishing apps that provide cybercriminals in South Korea with the tools they need to conduct campaigns. This indicates that multiple vishing groups are operating globally, highlighting their importance remaining vigilant even the most convincing scams, Ryu says. To educate Insights into the distinctive characteristics of scams and the tactics that attackers typically use to try to deceive victims are also crucial to avoiding compromises.