Koreans Hit by Android Vishing Malware Bank Raiders

Fraud detection and intelligence business ThreatFabric has warned of an advanced voice phishing scam that is currently targeting Android phone users in South Korea but which could be adapted for use elsewhere. The group behind the scam refer to themselves as ‘LetsCall’ and have developed an advanced three-stage attack that combines fake websites, mobile phone spyware and the scammer’s own call center, which impersonates the customer service function of a victim’s bank.

The first phase of the attack involves tricking a victim into installing a downloader from a bogus website. For example, the downloader may have been obtained from a website that mimics the appearance of the Google Play app store. The downloader will then secretly install spyware on to the victim’s phone, allowing the gang to obtain the victim’s banking information during the second stage of the attack. This malware also enables the third stage by redirecting communications from the phone. The banking information obtained in the second phase is used to raid a victim’s account, but the victim’s attempts to warn their bank will be thwarted because calls to the bank will be connected to the gang’s call center instead.

The brilliantly devious scheme means that a victim who notices suspicious transactions involving their bank account may end up facilitating further crime by providing additional personal information to the criminals in response to questions that were seemingly asked to authenticate the customer.

ThreatFabric describes the second and third phases of the LetsCall scam as ‘huge’. They also observed the remarkable range of skills exhibited by the LetsCall gang.

  • Android developers familiar with VOIP traffic routing
  • Designers responsible for crafting the appearance of phishing websites and malicious apps
  • Frontend developers familiar with JavaScript
  • Backend developers who know how to prevent unauthorized access of APIs
  • Call operators who speak several languages fluently

One of the simplest protections that some consumers have against scammers is that they use a language which is uncommon outside of their home country. Speakers of English, Mandarin and Spanish are at greater risk because the same scam can be used to attack victims in many different countries, without the effort involved in translating the scam to a new language. South Korea is a prosperous country but it is noteworthy that the LetsCall scam revolves around webpages written in Korean and call operators who speak Korean. Various webpages have been created for the initial deception, but each mimics sites familiar to South Koreans. The example webpages pictured above are copies of (from left to right): Banksalad, a loan comparison aggregator; KICS, the Korea Information System of Criminal-Justice Services; and Finda, another loan comparison aggregator.

ThreatFabric’s explanation of LetsCall is sketchy in places, although they also state that their research into LetsCall is ongoing. They refer to phishing websites also being used to obtain personal data from victims, but obtaining information via a bogus website, via mobile handset spyware and via social engineering conducted during a phone call sounds like three distinct modes of obtaining the same kinds of data rather than the three-step progression of a single scam. Nevertheless, ThreatFabric does provide impressive detail when discussing some of the technical aspects of LetsCall. If LetsCall is as elaborate as ThreatFabric suggests then we all must be wary of new levels of sophistication involving phone and web-based scams.

ThreatFabric’s analysis of LetsCall can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.