Source: Mohd Izzuan Roslan via Alamy Stock Photo
Voice phishing, or vishing, is having a moment right now, with numerous active campaigns across the world that are ensnaring even savvy victims who might seem likely to know better, defrauding them in some cases of millions of dollars.
South Korea is one of the global regions being hit hard by the attack vector; in fact, a scam in August 2022 caused the largest amount ever stolen in a single vishing case in the country. That occurred when a doctor sent 4.1 billion won, or $3 million, in cash, insurance, stocks, and cryptocurrencies to criminals, demonstrating just how much financial damage one vishing scam can inflict.
Sophisticated social engineering tactics of recent scams that are leading them to success include impersonating regional law-enforcement officials, giving them an authority that is highly convincing, according to Sojun Ryu, lead of the Threat Analysis Team at South Korean cybersecurity firm S2W Inc. Ryu is giving a session on the trend, "Voice Phishing Syndicates Unmasked: An In-Depth Investigation and Exposure," at the upcoming Black Hat Asia 2024 conference in Singapore. Vishing campaigns in South Korea in particular take advantage of culture-specific aspects that allow even those who don't seem like they would fall for such a scam to be victimized, he says.
For example, recent scams have cybercriminals posing as the Seoul Central District Prosecutor's Office, which "can significantly intimidate people," Ryu says. By doing this and arming themselves with people's personal information in advance, they are succeeding in scaring victims into making financial transfers — sometimes in the millions of dollars — by making them believe if they don't, they will face dire legal consequences.
"Although their approach is not novel — employing the longstanding tactic of impersonating a prosecutor — the significant sum of money stolen in this instance can be attributed to the victim's status as a relatively high-income professional," Ryu says. "It is a stark reminder that anyone can fall prey to these schemes."
Indeed, Vishing groups operating in Korea also appear to deeply understand the culture and legal systems of the region, and "skillfully mirror the current societal landscape in Korea, leveraging individuals' psychology to their advantage," he says.
Vishing Engineering: A Combo of Psychology & Technology
Ryu's and his fellow speaker at Black Hat Asia, YeongJae Shin, threat analysis researcher and previously employed at S2W, will focus their presentation on vishing that's happening specifically in their own country. However, vishing scams similar to the ones occurring in Korea appear to be sweeping across the globe lately, leaving unfortunate victims in their wake.
The law-enforcement scams seem to fool even savvy Internet users, such as a New York Times financial reporter who detailed in a published report how she lost $50,000 to a vishing scam in February. Several weeks later, the writer of this article nearly lost 5,000 euros to a sophisticated vishing scam when criminals operating in Portugal posed as both local and international enforcement authorities.
Ryu explains that the blend of social engineering and technology allows these contemporary vishing scams to victimize even those who are aware of the danger of vishing and how their operators work.
"These groups utilize a blend of coercion and persuasion over the phone to deceive their victims effectively," he says. "Moreover, malicious applications are designed to manipulate human psychology. These apps not only facilitate financial theft through remote control after installation but also exploit the call-forwarding feature."
By using call-forwarding, even victims who try to validate the veracity of scammers' stories will think they are dialing the number of what seems like a legitimate financial or government institution. That's because threat actors "cunningly reroute the call" to their numbers, gaining trust with victims and improving the changes of attack success, Ryu says.
"Additionally, attackers are exhibiting a nuanced understanding of the local law enforcement's communication style and required documentation," he says. This allows them to scale their operations globally and even maintain call centers and manage a series of "burner" mobile-phone accounts to do their dirty work.
Updated Vishing Toolboxes
Vishing operators are also using other modern cybercriminal tools to operate across different geographies, including South Korea. One of them is the use of a device known as a SIM Box, Ryu explains.
With scammers typically operating outside the geographic locations that they target, their outbound calls may initially appear to originate from an international or Internet calling number. However, through the use of a SIM Box device, they can mask their calls, making them appear as if they are being made from a local mobile phone number.
"This technique can deceive unsuspecting individuals into believing the call is from a domestic source, thereby increasing the likelihood of the call being answered," he says.
Attackers also frequently employ a vishing app called SecretCalls in their attacks against Korean targets, that not only allows them to conduct their operations but also evade detection. Over the years the app has "undergone significant evolution," Ryu says, which is why it's "one of the most actively disseminated variants" of vishing malware, he says.
The malware's "sophisticated" features include the detection of Android emulators, alteration of ZIP file formats, and dynamic loading to impede analysis, Ryu says. SecretCalls also can overlay the screen on the phone and dynamically gather command & control (C2) server addresses, receive commands via Firebase Cloud Messaging (FCM), enable call forwarding, record audio, and stream video.
SecretCalls is just one of nine vishing apps giving cybercriminals in South Korea the tools they need to conduct campaigns, the researchers have found. This indicates that multiple vishing groups are operating globally, highlighting the importance of remaining vigilant even to the most convincing scams, Ryu says. Educating employees about the trademark characteristics of the scams and the tactics that attackers typically use to try to fool victims is also crucial to avoiding compromise.