Voice Phishing Syndicates Unmasked: An In-Depth Investigation and Exposure

In August 2022, a single voice-phishing incident in South Korea caused $4.1 billion in damages, the largest single cyber incident in the country. Voice phishing attack groups trick victims into installing a malicious app and then convince them to call law enforcement. Without the victim's knowledge, the scammers redirect the call to their own number and pose as a real law enforcement agency, convincing them to transfer money.

Voice phishing attack groups have sophisticated attack scenarios based on social engineering techniques, and malicious apps have been created for their purpose. They select their victims by obtaining personal information such as phone numbers and ages from a database of personal information collected before the attack. The tactics used vary depending on the target, such as impersonating financial institutions for those with a history of loan counseling, impersonating public institutions for younger people, or targeting young women in their 20s. In an effort to appear legitimate, the attack groups only operates their phishing sites during business hours in South Korea.

We have categorized at least nine types of voice phishing malware circulating in Korea. Each type is characterized by its packer, C&C server communication, file structure, etc. Among them, we have been tracking and analyzing a malicious app named 'SecretCalls' for about three years. We plan to present a detailed analysis of the weaponry used by voice phishing groups, their infrastructure, and their evolved attack methods.

By:
Sojun Ryu | Lead of Threat Analysis Team, S2W Inc.
YeongJae Shin | Threat Analysis Researcher, Ex-S2W Inc.

Full Abstract & Presentation Materials:
https://www.blackhat.com/asia-24/brie...