A new report from ThreatFabric has revealed that vishing attacks, a form of voice or VoIP phishing, have become more sophisticated in recent times. The report highlights an advanced toolset called LetsCall that is being used by attackers in a multi-stage vishing campaign targeting users in South Korea. However, researchers believe that the attackers could expand their campaign to other European Union countries due to the sophistication of the toolset.
The LetsCall attack comprises three stages. In the first stage, known as the Downloader, the attacker prepares the device, obtains necessary permissions, and displays a phishing webpage. The victim is tricked into downloading a malicious application chain from the attacker’s phishing webpage, which looks like the Google Play Store. In the second stage, a powerful spyware application is downloaded onto the device. This spyware allows the attacker to exfiltrate data and enroll the infected device into a peer-to-peer VoIP network for making voice and video calls. The attacker abuses a legitimate service called ZEGOCLOUD to facilitate VoIP communication.
To enable communication, the attacker uses relay servers, such as Google STUN and self-configured servers. This process may leak credentials in the application code. Communication can also be enabled via web sockets, which can cause duplication of commands from the peer-to-peer service and web socket. The attacker can configure a whitelist for redirecting phone numbers and a blacklist for bypassing redirection. The researchers also noted the use of nanoHTTPD for creating a local HTTP server.
In the third stage, a companion application is launched to extend the functionalities of the second-stage malware. This application features phone call functionality that allows the attacker to redirect calls from the victim’s device to the attacker’s call center. The APK file of this application is similar to the second-stage APK and also uses evasion techniques and XOR-encrypted DEX files. The application has a large code base and contains code for manipulating phone calls. It can intercept incoming and outgoing calls and reroute them according to the attacker’s desire.
The LetsCall campaign tricks victims through various means, although it is unclear how the attacker convinces the victim to visit the phishing page. The researchers suspect that the attackers might be using Black SEO or social engineering techniques. The phishing pages mimic the Google Play Store and are designed to be viewed on mobile screens. Three pages observed by the researchers imitate popular financial services in South Korea and ask for sensitive data, such as resident registration numbers, phone numbers, salaries, home addresses, and employer identities.
Vishing attacks are an ever-evolving threat that combines voice communication with phishing techniques. Fraudsters are using modern technology for voice traffic routing and have developed systems that can automate calls to victims and play pre-recorded messages to lure them into visiting malicious URLs or giving away sensitive personal or financial information. They may even manipulate victims into withdrawing cash from ATMs. By combining vishing with mobile phone infection, scammers can request micro-loans on behalf of victims, who are then left with the burden of repayment.
The rise of these sophisticated vishing campaigns is concerning for cybersecurity experts. It is important for individuals to remain vigilant and cautious when receiving calls from unidentified numbers or providing personal information over the phone. Taking steps such as verifying the legitimacy of the caller and being wary of sharing sensitive information can help protect against vishing attacks.