A new form of vishing (voice phishing) campaign has been observed targeting Android users in South Korea, and is predicted to expand further into European Union countries. This multi-stage voice phishing attack known as ‘LetsCall’ employs an advanced toolset with the same name that features strong evasion tactics.
The attack mode
In the campaign, the attackers use a counterfeit Google Playstore website to deceive victims into downloading malicious apps. The attack is carried out in three stages.
- Once a malicious app is downloaded, it obtains necessary permissions on the device and prepares to install the second stage malware.
- In the second stage, is initiated by downloading spyware from the C2 server. The attackers exfiltrate data and enroll the infected device into the P2P VOIP network to make video/voice calls to the victim.
- To achieve this, criminals abuse LetsCall and a legit service called ZEGOCLOUD to facilitate VOIP communication and messaging.
- In the third stage, the second-stage malware is launched again to extend its functionalities such as redirecting calls from the victim’s device to the attacker’s call center.
Data stolen in the attack
The attackers pose as banking employees and use social engineering tactics to extract sensitive information from unsuspecting users.
- The redirected victims are attended by pre-recorded MP3 voice messages in the Korean language.
- The messages pretend to be from Banksalad (Loan comparison aggregator), Finda (loan comparison aggregator), and KICS (Korea Information System of Criminal-Justice Services) and ask for sensitive data like Resident Registration Number/ID, phone number, salary, home address, and employer identity.
Vishing: an ever-evolving threat
This new form of vishing attack underscores the constant evolution of phishing tactics and attackers’ ability to exploit the technology for malicious purposes. While the victims are tricked into sharing their sensitive information in the current campaign, they may even be lured into visiting their nearest ATM to withdraw cash and paying a specific sum of money asked by scammers against a fake micro-loan.
The bottom line
Banks never ask for detailed personal and financial information over the call. Therefore, users must be cautious of such calls and inform the bank’s security team personnel in case of suspicion. Besides, it is recommended to implement MFA across all banking accounts as an additional security.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/4f3d_shutterstock_597956924_ransomware2.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/580d_Shutterstock_2240496659.jpg)
