The digital device that we use the most in our daily lives is mobile phone. It is used in a wide range of daily activities such as communication, searching, shopping, making payment, verifying identity, and investing. Some people do not own personal computers, but almost everyone these days have mobile phones. Scammers aim for mobile phones because they are the most widespread, most utilized devices. They use subterfuge and scams to steal our money, information, and permissions.
Contents
- These Text Messages Are All Scams
- Cases of Smishing Scam
- AhnLab TIP Smishing Threat Intelligence
- What Happens When Scammed by Smishing?
- What Happens When Money Used for Investment
- What Happens if Victims Entered Information
- What Happens if Victims Made Direct Contact
- What Happens if Victims Installed Apps
- AhnLab TIP Mobile App Threat Intelligence
- Voice Phishing in Korea
- Malicious Scam Apps Uploaded to Official App Store
- Fake Loan Scam
- Investment Prompting Scam
- See Related Articles
Definition
Scamming is defined as the crime of deceiving others via immoral means for financial gains, stealing intellectual property, or unauthorized access to assets. Scammers (criminal, attacker) mostly utilize direct channels such as voice calls, messages, emails, messengers, social media, and websites to coerce their victims into performing deeds they want done.
These Text Messages Are All Scams
Despite the differences in digital accessibility and culture, text messages (SMS) are one of the top 3 most frequently used channels for scamming in eight different Asian countries including Korea. Globally, SMS is the second most frequently used channel for scams (58%), second only to phone calls (61%).[1]
If you have received any of the following SMS messages, you have become one of the target by the scammers. Messages shown below could be smishing, also known as SMS phishing. Most of the messages impersonate an entity to drive victims to check the details urgently or lure their victims with content that pique their interest.
The chart below shows types of scam messages and the prevalence data AhnLab collected by V3 Mobile Security. The most scam method used in the fourth quarter of 2023 is the temporary employee scam (61.2%). The scammers in disguise prompt their victims into investing money into particular schemes promising easy, large returns, but they are financial frauds in essence. The second most prevalent type is the card issuer impersonation (17.6%). Scammers impersonate card issuers and approach their victims with topics such as issuance of new cards and transaction approval. They then prompt the victims into calling the numbers, attempting to trap them inside financial frauds that also become voice phishing cases. There were some scamming cases of impersonating public agencies, families, and friends, and the trends of types and their occurrence change every season due to specific seasonal issues such as taxes and holidays and/or scammers adopting new strategies.
Cases of Smishing Scam
The following shows smishing cases found since the 3Q of 2023. A large number of scammers impersonated certain individuals, organizations, and/or services. URLs that are still valid and certain personal details are masked with asterisks (*).
Impersonation of Temporary Employee, Prompting Investing
No age restrictions (90+ ok), certified by public agencies, many celebrities do it too. Get happy forever in 20 minutes. dokdo.in/E*** |
IPO available, first come first serve, pre-subscribe at hxxps://angel*ipo.net |
Hello! I am a recruitment manager looking to hire temporary workers. Get started right away. No experience required, available to everyone, simple tasks only! Work whenever you want at you own pace! (You can choose to work remotely at home or at the desired place! )#daypay #bonusforwomen #workathome (etc.) |
Impersonation of Card Issuer and Sending Fake Payment Notice
An international shopping payment of 962,900 KRW has been made via Lotte 5*6* Card on October 20th (transaction approved). If this payment is not made by you, please call the following number immediately: 1551-**** |
Approval code [0598] 385,150 KRW Payment Processed [Samsung Pay] Customer Center: 052-227-**** |
Dear ***, new [Samsung Card] (***) has been issued. If this was not requested by you, please call **-****-**** immediately. |
Impersonation of Public Agency
[Traffic Police 24 (efine)] Notice of penalties for the violation of road law (sent) – Check details at hxxp://slc.pg5s.mom |
{National Health Insurance} The health check questionnaires has been sent. Read details at hxxp://xld.fg6n.one |
[National Tax Service] Check discount benefits for tax return settlement 2023 (Download) hxxps://Taxreturn.lrl.kr |
[NPS National Pension Service] National pension reduction issued – hxxps://xgo.kr/4iu |
[Civic Complaint] Violation of Waste Management Act (Unlawful disposal of daily living waste). Check it at: **.*****.life/lEtU |
Impersonation of Family and Friends
<Notice of Death> I am sending this message because my father has passed away. Funeral details – hxxps://t.ly/d9oTh |
(Mobile Invitation), ♡Wedding Date: 01/6 (Saturday) 11 AM. Come one, come all. hxxp://hin.aikuju.xyz/ZLCB |
mom? my phone’s dead so I’m sending this from my PC. hxxp://s.id/1IcWP go to this page and install it. give whatever permissions it asks and let me know when ur done. it’s an order tracker app. |
Impersonation of Package Deliverer and Shipping Company
[Coupang Customer Center] The delivery address is invalid. Please check and enter the valid address. hxxp://go9.co/S |
[CJ Logistics] Product you purchased is expected to arrive between 4 – 6 PM. Read details at hxxps://v09.an1s.best |
Others
[International Message] Your Telegram has not been validated for a long time. Please verify at hxxps://web-telegramm.icu. Your account will be logged out upon delay. |
[International Message] My love, I’ve lost my phone. Add New LINE ID: an199** |
AhnLab TIP Smishing Threat Intelligence
AhnLab Threat Intelligence Platform (ATIP) AhnLab TIP provides ‘Smishing URLs,’ the smishing status report, and smishing intelligence report every quarter. The most recent report is the ‘2023 4th Quarter Smishing Trend Report’.
- Daily Smishing Message Collections
- Major Cases and Damage Reports per Smishing Type
- Statistics on Impersonated Organizations and Industries
- Public Agencies
- Finance Firms
- Logistics Companies
- Prevention and Response Advisory
What Happens When Scammed by Smishing?
Scammers directly contact their victims via text messages and drive them to voluntarily perform acts that are parts of their scams. These acts include investing money, entering information, contacting the scammers, and installing apps. They can cause the following damage:
Prompted Actions | Results |
---|---|
Investing money | Financial loss |
Entering information | Personal information theft, loss due to unauthorized access, and installation of malicious app following target verification |
Contacting Scammers | Financial loss due to scams such as voice phishing and installation of malicious apps |
Installing Apps | Loss due to unauthorized access, information theft (financial information, files, contacts, two-step authentication code message, etc.), hijacked control |
What Happens When Money Used for Investment
No age restrictions (90+ ok), certified by public agencies, many celebrities do it too. Get happy forever in 20 minutes. dokdo.in/E*** |
Upon clicking the smishing URL, victims are redirected to an ad website that promises immense profit in a short time. To increase the credibility of the website, the scammers illegally used the photos of well-known celebrities and posted pictures showing fake revenues. The scammers attempt to engage in a 1:1 conversation with their victims using a mobile messenger app such as KakaoTalk and prompt them to register to a fake trade exchange website and invest money. For the exchange, the threat actor stole Meta logo and used it without permission.
In these cases, scammers initially provide their victims with guaranteed profit for small investments to build trust. However, as the trust grows, the scammers start asking for a larger sum of money and steal it. Details about investment scams that include elements such as celebrity impersonation and stimulating advertisements will be covered in the article ‘Online Scam: I Just Wanted to Earn a Vast Sum of Money with Little Effort’ which is scheduled for a release soon.
IPO available, first come first serve, pre-subscribe at hxxps://angel*ipo.net |
Some scammers impersonate companies scheduled for an actual initial public offering (IPO) and prompts their victims to buy ‘special’ shares that do not exist. The URL of the smishing text in the example above redirects victims to a website exactly identical to that of the actual company, and the only difference between the fake and the real is that the fake website has a personal information input field for the initial offer application.
What Happens if Victims Entered Information
[International Message] Your Telegram has not been validated for a long time. Please verify at hxxps://web-telegramm.icu. Your account will be logged out upon delay. |
The message above is a type of smishing that prompts victims to validate their Telegram (a mobile messenger) account. Telegram provides users with a feature to use login codes to access the web version of the service. Scammers, in order to hijack their victims’ Telegram login sessions and gain unauthorized access, created a fake Telegram phishing website. Because the phishing website’s URL is similar to the URL of Telegram’s web version (https://web.telegram.org) it is easy for victims to get tricked. When victims enter their login code in the phishing website, the scammers can use that information to view the Telegram screen.
[Civic Complaint] Violation of Waste Management Act (Unlawful disposal of daily living waste). Check it at: **.*****.life/lEtU |
When victims click the smishing URL, they are redirected to a website that demands them to enter information such as their names, dates of birth, contact numbers, and accounts numbers. This is a type of verification process that checks if the accessing users are intended victims. The malicious app is not downloaded for non-victim users cannot download even after they access the website. Victims, on the other hand, may wrongly believe that they accessed the official website, entered the required information, passed a validation process, and installed an official app.
What Happens if Victims Made Direct Contact
[International Message] My love, I’ve lost my phone. Add New LINE ID: an199** |
In this type of scam, the scammers approach their victims with messages that may pique the victims’ interests and lead them to a mobile messenger chat. They then form a friendly relationship with their victims and may ask victims to transfer money or forward parcels, inflicting financial losses, or engage in a sexually explicit conversation where they demand victims to share photos and videos, blackmailing them using the procured sensitive information.
An international shopping payment of 962,900 KRW has been made via Lotte 5*6* Card on October 20th (transaction approved). If this payment is not made by you, please call the following number immediately: 1551-**** |
The smishing message above only contains a contact number. Scammers send false notification messages related to transaction errors or information leak which seemingly demand the victims’ immediate attention, drawing them to directly contact the number. The contact numbers written in such messages all belong to voice phishing organizations that impersonate card issuers or finance companies, and when victims contact them, the phishing organization tell the victims to install apps—malicious by design—for convenience and security.. Recently, to avoid suspicion, some scammers prompted victims to install legitimate apps that support remote control feature and directly installed malicious apps through the normal app.
What Happens if Victims Installed Apps
[Traffic Police 24 (efine)] Notice of penalties for the violation of road law (sent) – Check details at hxxp://slc.pg5s.mom |
In this type of scam, the scammers impersonate public agencies or friends of victims, or send fake messages that align with the victims’s interests and prompt them to click the URL inside the smishing message. The victims, because they are redirected to the screen they expected to see, click buttons such as ‘Download App’ and ‘See Details’ without much suspicion. The downloads apps use public agency, private company, or basic Android feature icons to take disguise.
Some of these apps use official app store screens (e.g. Google Play or App Store) to prompt users to install them. The victims, because they are tricked into thinking they are installing official apps from a store, fail to realize that they are installing malicious apps. It is easy to fall for such scams because the color, the layout, and reviews are all configured to recreate the screens of official app stores. The images below are all screens of fake, modified app stores. Iphones are not safe from scam apps.
These malicious apps collect various information from mobile phones and send the data to the scammers. In this age, mobiles phones are not just carriers of sensitive data (e.g. personal information, files, contact numbers, and images), but also means of identity verification through SMS. Scammers can access and steal the information of their victims’ phones through the installed malicious apps.
For example, scammers can hijack or send text messages containing verification codes and pass the verification process using the information. Additionally, they can fully take control of mobiles phones through app features such as voice recording, video recording, taking photos, and sending text message. In certain scam cases, malicious apps were installed via smishing, and this led to the extortion of information that ultimately resulted in severe financial losses due to unintentional purchases involving large sums of money.
For a more detailed analysis report on the malicious apps, check AhnLab Threat Intelligence Platform AhnLab TIP.
AhnLab TIP Mobile App Threat Intelligence
AhnLab Threat Intelligence Platform AhnLab TIP provides detailed threat analysis reports related to the mobile apps. Additionally, the platform supports the ‘Cloud Sandbox’ feature that allows the dynamic analysis of Android APK files.
Voice Phishing in South Korea
Voice phishing in South Korea is unique. Voice phishing is not an individual crime, but a large-scaled, organized, and meticulous offense layered with complex stages consisting of fake deposit accounts, burner phones, call centers, and money laundering. The malicious apps used in phishing stages are also technologically advanced. The Korean police, Financial Supervisory Service, and finance companies are collaborating to battle the voice phishing, but the organizations are changing and adapting in different ways in response. This movement is rarely seen among scams in other countries.
Voice phishing scammers coerce their victims into calling them through smishing messages or directly call the victims, impersonating credible organization such as Financial Supervisory Service, Persecutor’s Office, police, or finance company. Many voice phishing scammers utilize malicious apps in the phishing process and fabricate fake scenarios to keep the victims from discontinuing the calls and encourage them to install the apps. AhnLab dubbed these voice phishing apps Kaishi (this article supports Korean only for now), and the following lists their key features:
- Call Manipulation
- Call Voice Manipulation
- User Screen Manipulation
- Call History Manipulation
Scammers trick their victims into thinking that they just talked to real finance companies or agencies because the screens on their mobile phones display relevant details, the call voice is also provided by the finance company. In truth, however, they were all modified by Kaishi, and the voice was provided by the phishing organization’s call center.
The following shows icons of voice phishing apps confirmed up to 2024. ‘Phishing Eyes’ and ‘Citizen Konan,’ the apps that block voice phishing, are among the targets of impersonation. Voice phishing apps are impersonating voice phishing-blocking apps because scammers know what apps the people trust. Some scammers also designed their apps to be only downloaded and installed after entering verification number to trick users.
Malicious Scam Apps Uploaded to Official App Store
Generally, apps listed in official app stores such as Google Play and Apple’s App Store are perceived to be official and legitimate. In reality, some of the apps related to loan and investment are registered to official app stores despite being parts of financial scams. This occurs because the apps, while being used in malicious scams, are not equipped with apparent malicious features, and the information they demand and features they provide are much different from legitimate apps. Scammers sneakily bypass registration policies of these app stores to deceive users
and while some users install these financial scam apps directly after searching for them in stores, most of them install them only after getting tricked by false words of the scammers who utilize online communities, social media, and mobile messengers to coerce innocent users into installing their financial scam apps.
Fake Loan Scam
Impersonating loaners, scammers collect information from victims claiming that the data is required to provide high-interest loans or brokerage. They collect mobile app device info along with personal and financial info such as identification photo and account number in a way similar to legitimate loan apps, tricking users into thinking that they are using the official apps and going through an official process. After the process, some scammers use the gathered information to blackmail and extort their victims. The following images show loan-related scam apps that were displayed when users searched the Google Play app store using keyword ‘Loan.’ Currently, all of the apps are removed from the store.
Investment Prompting Scam
Scammers rally investors through smishing or social media ads and lead them to ‘reading chat rooms’ or engage in 1:1 conversations to prompt them to install apps and register. These trade exchange and investment info apps provide users with stock, virtual asset price overview and recommend investment option, and they are officially listed in Google Play or Apple’s App Store. Scammers follow the information provided by these apps and invest without realizing that some of the information are false and modified. Scammers first build trust with their victims by giving them the promised profits for the initial small investment. However, the scammers soon demand victims to additionally deposit money or pay an exorbitant fee, and once the victims pay the sum, the scammers cut contact, go into hiding, and inflict their victims with massive financial damages.
In January 2024, Korea’s National Cyber Security Center (NCSC) published the following advisory: ‘Security Advisory on Malicious Apps Disguised as Korean Finance Companies (this article supports Korean only for now)’ to warn users about scam apps that prompt users to invest. The six exposed scam apps stole logos and names of Korean financial firms.
Developers (registrars) of these financial scam apps developed similar investment-prompting scam apps in other Asian nations using the similar method. According to the information found in Google Play, Taiwan, Japan, India, and Malaysia are some of the victim nations. Most of the apps have been removed from the app store, but some of them are still present.
See Related Articles
- Online Scams: Are You Safe From Impersonation, Blackmail, and Deception?
- Online Scams: What Are Online Scams?
- Online Scams: Fraud Through My Phone
- Online Scams: Blackmail, Deceptions, and Victims
- Online Scams: I Just Wanted to Make a Lot of Money Easily
- Online Scams: These Are All Scams? Distinguishing Real and Scam
- Online Scams: Anyone Can Fall for Scams
- Online Scams: What Should We Do?
[1] Reference Global State of Scams Report 2023
Source: Original Post
“An interesting youtube video that may be related to the article above”