A new and sophisticated form of voice phishing (vishing) attack called “Letscall” has been identified by cybersecurity researchers. Vishing attacks have gained popularity in recent years and have eroded the trust in unknown calls from unfamiliar numbers. In these attacks, scammers impersonate bank employees or salespeople to trick individuals into divulging sensitive information. However, the Letscall scam takes vishing to a whole new level.
The Letscall attack follows a multi-stage chain, starting with a fake Google Play Store site. The scammers trick victims into downloading malicious apps, which initiates the attack. In the first stage, the app prepares the victim’s device, obtains necessary permissions, and launches the phishing page. It then downloads and installs second-stage malware from a control server. In the second stage, the attacker communicates with the victim through video or voice calls, using a powerful spyware application to extract data and enlist the infected device in a P2P VOIP network. The third stage complements the second-stage malware by adding functionalities such as call redirection to the attacker’s control center.
The Letscall group behind these attacks consists of skilled individuals in voice social engineering, including Android developers, designers, frontend developers, and backend developers. They employ modern voice traffic routing technology and automated victim calls with pre-recorded messages to lure individuals into their traps.
The method used to lure victims to the decoy page is still unknown, but it is suspected that the scammers employ blackhat SEO techniques and social engineering tactics. Interestingly, cybersecurity analysts have discovered Google Play-like pages that are optimized for mobile screens and are primarily in the Korean language.
The downloaders used in the Letscall attack are simple and specific apps, occasionally utilizing custom methods. The malware incorporates obfuscation techniques such as Letscall Tencent Legu and Bangcle (SecShell) to evade detection. It also corrupts the manifest in later stages to avoid security systems.
These vishing attacks can have serious consequences, including loading victims with significant loan repayments. Unfortunately, financial institutions often underestimate the impact of these intrusions. Currently, the Letscall attack is limited to South Korea, but security analysts warn that the threat actors behind it could easily expand to other regions, including the European Union, due to the lack of technical barriers.
To combat the Letscall attack and similar vishing attacks, it is crucial for individuals to be vigilant and skeptical when receiving calls from unknown numbers. They should not disclose sensitive information over the phone unless they can verify the caller’s identity. It is also important for financial institutions and other organizations to educate their customers about vishing attacks and implement robust security measures to detect and prevent them.
Security analysts have provided indicators of compromise (IoCs) to help identify the Letscall attack. These include file sha256 hashes for the downloader and the second and third stages of the malware.
In conclusion, the emergence of the Letscall attack highlights the evolving nature of vishing attacks and the need for individuals and organizations to stay informed and proactive in their cybersecurity measures. By being aware of the techniques used by scammers and implementing appropriate security protocols, individuals can protect themselves from falling victim to these sophisticated voice phishing attacks.