Threat Research

Online Scam: Scams Encountered on My Phone – F1TYM1

Securonix

Mobile scams targeting phone users through smishing and voice phishing are widespread, with attackers impersonating banks, agencies, delivery services, and even celebrities to coax victims into investing, sharing personal data, or installing malicious apps. AhnLab TIP Threat Intelligence highlights how these scams spread via SMS links and fake apps—often appearing in official app stores—and discusses countermeasures and ongoing trends in Korea and other Asian countries. #Kaishi #AhnLabTIP #VoicePhishing #LotteCard #SamsungPay #GooglePlay

Keypoints

  • Smishing (SMS phishing) is a top scam channel globally and in eight Asian countries, with Korea seeing frequent impersonations of various entities.
  • Common scam themes include impersonating temporary employees prompting investments, card issuers, public agencies, families/friends, and delivery/shipping services.
  • Victims are guided to invest via fake websites or 1:1 chats, often using celebrity images to look credible and promising quick profits before demanding more money.
  • Malicious apps can be installed after smishing, sometimes masquerading as legitimate apps from official stores and capable of data theft or device control.
  • AhnLab TIP provides quarterly smishing reports and a Cloud Sandbox for analyzing Android APKs to support prevention and response.
  • Voice phishing in Korea is highly organized, using call centers and money laundering, with apps like Kaishi manipulating screens and calls to imitate real financial services.

MITRE Techniques

  • [T1566.001] Phishing – Smishing – Smishing messages impersonate entities to drive victims to check details urgently or lure their victims with content that pique their interest. “Most of the messages impersonate an entity to drive victims to check the details urgently or lure their victims with content that pique their interest.”
  • [T1204] User Execution – Installing apps after clicking smishing links; victims are prompted to download/install malicious applications. “When victims click the smishing URL, victims are redirected to an ad website… prompt them to register to a fake trade exchange website and invest money.”
  • [T1105] Ingress Tool Transfer – Downloading and installing malicious apps via smishing and redirected pages; apps use official-store-like screens to persuade installation. “The downloads apps use public agency, private company, or basic Android feature icons to take disguise.”

Indicators of Compromise

  • [URL/Domain] – Smishing URLs and fake sites used to lure victims: dokdo.in/E***, hxxps://angel*ipo.net, hxxp://slc.pg5s.mom, Taxreturn.lrl.kr, web-telegramm.icu, s.id/1IcWP, and other similar domains
  • [Phone number] – Contact numbers used in scam messages: 1551-****, 052-227-****
  • [URL/Domain] – Telegram phishing site: web-telegramm.icu

Read more: https://f1tym1.com/2024/03/14/online-scam-scams-encountered-on-my-phone/