Fraud detection and intelligence business ThreatFabric has warned of an advanced voice phishing scam that is currently targeting Android phone users in South Korea but which could be adapted for use elsewhere. The group behind the scam refer to themselves as ‘LetsCall’ and have developed an advanced three-stage attack that combines fake websites, mobile phone spyware and the scammer’s own call center, which impersonates the customer service function of a victim’s bank.
The first phase of the attack involves tricking a victim into installing a downloader from a bogus website. For example, the downloader may have been obtained from a website that mimics the appearance of the Google Play app store. The downloader will then secretly install spyware on to the victim’s phone, allowing the gang to obtain the victim’s banking information during the second stage of the attack. This malware also enables the third stage by redirecting communications from the phone. The banking information obtained in the second phase is used to raid a victim’s account, but the victim’s attempts to warn their bank will be thwarted because calls to the bank will be connected to the gang’s call center instead.
The brilliantly devious scheme means that a victim who notices suspicious transactions involving their bank account may end up facilitating further crime by providing additional personal information to the criminals in response to questions that were seemingly asked to authenticate the customer.
ThreatFabric describes the second and third phases of the LetsCall scam as ‘huge’. They also observed the remarkable range of skills exhibited by the LetsCall gang.
- Android developers familiar with VOIP traffic routing
- Designers responsible for crafting the appearance of phishing websites and malicious apps
- Backend developers who know how to prevent unauthorized access of APIs
- Call operators who speak several languages fluently
One of the simplest protections that some consumers have against scammers is that they use a language which is uncommon outside of their home country. Speakers of English, Mandarin and Spanish are at greater risk because the same scam can be used to attack victims in many different countries, without the effort involved in translating the scam to a new language. South Korea is a prosperous country but it is noteworthy that the LetsCall scam revolves around webpages written in Korean and call operators who speak Korean. Various webpages have been created for the initial deception, but each mimics sites familiar to South Koreans. The example webpages pictured above are copies of (from left to right): Banksalad, a loan comparison aggregator; KICS, the Korea Information System of Criminal-Justice Services; and Finda, another loan comparison aggregator.
ThreatFabric’s explanation of LetsCall is sketchy in places, although they also state that their research into LetsCall is ongoing. They refer to phishing websites also being used to obtain personal data from victims, but obtaining information via a bogus website, via mobile handset spyware and via social engineering conducted during a phone call sounds like three distinct modes of obtaining the same kinds of data rather than the three-step progression of a single scam. Nevertheless, ThreatFabric does provide impressive detail when discussing some of the technical aspects of LetsCall. If LetsCall is as elaborate as ThreatFabric suggests then we all must be wary of new levels of sophistication involving phone and web-based scams.
ThreatFabric’s analysis of LetsCall can be found here.