{"id":47293,"date":"2023-02-23T12:36:52","date_gmt":"2023-02-23T17:36:52","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=47293"},"modified":"2023-02-23T12:36:52","modified_gmt":"2023-02-23T17:36:52","slug":"on-the-line-korean-movie","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/on-the-line-korean-movie\/47293\/","title":{"rendered":"&#8220;On the Line&#8221;: a movie about vishing"},"content":{"rendered":"<p>Ever seen a movie adaptation of a cybersecurity glossary? I did recently, to my surprise. The South Korean film <a href=\"https:\/\/www.imdb.com\/title\/tt15426974\/\" target=\"_blank\" rel=\"nofollow noopener\">On the Line<\/a> (original title: <em>Boiseu; lit. Voice, and no, it\u2019s not the movie <a href=\"https:\/\/www.imdb.com\/title\/tt14824590\/\" target=\"_blank\" rel=\"nofollow noopener\">with the same name<\/a> starring Mel Gibson<\/em>) is undoubtedly an action movie. At the same time, it contains such a concentration of cybercrime that you could almost recommend it as a textbook on information security. The consultants hired by the filmmakers seem to know their stuff.<\/p>\n<h2>\u201cOn the Line\u201d as an almanac of cybercrime<\/h2>\n<p>The main storyline is built around voice phishing, or vishing. But the protagonist, ex-cop turned foreman Han Seo-joon, also encounters numerous other scam techniques. Let\u2019s put the action aside and focus instead on the cyber-incidents (in chronological order).<\/p>\n<h3>Cell phone jamming<\/h3>\n<p>An intruder enters a construction site and hides a device with several antennas in a bag of building supplies. As we find out later, this is a jammer for blocking cell phone signals. The device jams the frequencies on which cell phones operate, preventing all mobile communications in the coverage area. And it soon becomes clear why the criminals are jamming the signal: to pull off a vishing attack.<\/p>\n<h3>Malware-infected phone<\/h3>\n<p>Seo-joon\u2019s wife runs a small cafe. She receives a spam message on her phone about a small business-support program that supposedly grants a subsidy on utility bills for companies with under five employees. By tapping the link she installed malware on her phone that gave the criminals access to all her messages, call logs, and personal data, and let them redirect calls from her phone to their own numbers.<\/p>\n<h3>Vishing (scenario 1)<\/h3>\n<p>Next, the vishing attack begins in earnest: she receives a call from someone who introduces himself as a lawyer and says there\u2019s been an accident at the construction site resulting in Seo-joon having been detained and charged. She immediately tries to call her husband, but can\u2019t get through because of the jammer; she assumes his phone is off or out of range. She dials the number of the construction site, and a voice tells her that an accident has occurred: a worker has died and the foreman is in police custody. This is where the malware comes into play: the call has been forwarded, and she is talking to the criminals.<\/p>\n<p>Shortly after the phone rings again. This time, someone purporting to be from the Busan Central Police Department informs her that Seo-joon has been arrested in connection with a construction site accident, and she can visit him at the criminal detention center.<\/p>\n<p>The \u201clawyer\u201d calls again and argues persuasively that, if the case goes to court, Seo-joon will be found guilty and likely go to jail. The only way to avoid this is to pay compensation. In a state of panic, the wife transfers all her savings to the account of the alleged law firm.<\/p>\n<h3>Quick withdrawal<\/h3>\n<p>On screen we see the scammers\u2019 banking interface as someone splits up the money and deposits it into seven accounts. Next, people armed with documents and bank cards withdraw the cash at various branches. By the time the woman discovers she\u2019s the victim of fraud and runs to the nearest banking office, the money is no longer in her accounts. And it\u2019s gone for good.<\/p>\n<h3>Vishing (scenario 2)<\/h3>\n<p>It turns out the jammer wasn\u2019t planted only for the sake of one victim\u2019s savings. The head of the construction company says he too was hoodwinked and has lost a much more significant sum from the payroll account. An \u201cinsurance company\u201d called and offered a 50% discount on family insurance for builders. The overly trusting boss sent the unknown callers not only money, but also the personal data of all his employees. And the cell signal was jammed at the very moment when he realized the call was not from insurers.<\/p>\n<h3>Money laundering through currency exchanges<\/h3>\n<p>The police explain to the victims that the money cannot be returned, because it has been laundered through a network of currency exchanges (actually a money transfer service). In other words, the criminals deposit Korean won in Korea, and withdraw Chinese yuan in China.<\/p>\n<h3>Mules for hire<\/h3>\n<p>The criminal who planted the jammer on the construction site runs a \u201ctravel agency\u201d. In reality the travel agents are folks from the provinces looking to earn a quick buck. They are brought in, spruced up, and sent to the banking offices to cash out the stolen funds. Judging by an off-the-cuff remark, the plan is to engage each person in the cash out scheme two or three times.<\/p>\n<h3>Poker site with a dummy account<\/h3>\n<p>To figure out what\u2019s going on, Seo-joon turns to an expert hacker he knows. At that moment, she is being pressured by petty criminals after contracting to create an online poker site, but then secretly connected it to her own account \u2014 apparently to siphon off money lost by players (or at least some of it).<\/p>\n<h3>Mass spoofing device<\/h3>\n<p>The hacker explains exactly how attackers are able to call victims\u2019 phones from fake numbers: by using devices installed in ordinary residential apartments to spoof phone numbers.<\/p>\n<h3>Trading personal data<\/h3>\n<p>Seo-joon breaks into the office of a certain Mr. Park, who runs this criminal business in Korea. There he witnesses documents and cards being packaged, clearly to be given to the mules. What\u2019s more significant is that someone in the office is selling stolen personal data: databases of microcredit debtors, department store customers, golf club members, and luxury property clients.<\/p>\n<h3>Unauthorized access to personal data<\/h3>\n<p>Using fake documents, Seo-joon tries to gain the trust of the heads of the criminal network in China. It turns out that the villains have access to the Korean police database and even bank payment histories. Testing Seo-joon\u2019s claimed identity, they ask him questions about his purchases. Luckily, his hacker acquaintance who supplied him with the false documents had the foresight to make him learn a cover story.<\/p>\n<h3>Vishing (scenario 3) \u2014 the criminals\u2019 perspective<\/h3>\n<p>Seo-joon finds a job in a call center and observes how a group of scammers tries to get someone else to part with their money. Pretending to be cybercrime investigators from a bank, they claim the victim\u2019s account is being used for fraudulent purposes, for which he could be prosecuted as an accomplice. If he knows nothing about it, it means his identify has been stolen and he must contact the financial control department. The victim, suspecting something is amiss, tries to contact the bank to block the account. But his phone is infected with the same Trojan that redirects the call back to those same criminals, who convince him it will take two hours to block the account, and only the financial control department can provide urgent assistance. Fortunately, Seo-joon manages to sabotage the scheme.<\/p>\n<h3>Vishing scriptwriters<\/h3>\n<p>In search of the vishers, Seo-joon infiltrates their operation and observes how they create their schemes. It\u2019s serious work: the fraudsters do market research, find vulnerable groups of people, and develop scenarios for each of them. The head \u201cscriptwriter\u201d explains that vishing is based on empathy\u00a0\u2014 they exploit not stupidity and ignorance, but fears and desires.<\/p>\n<h3>Vishing (scenario 4)<\/h3>\n<p>The scammers come up with a whole new playbook. Somewhere they get hold of a list of job seekers who have had interviews with a large firm. The criminals call everyone on the list and inform them that they were accepted as employees. Before starting work, however, they must comply with a few formalities: undergo a medical, a credit check, and give details of a guarantor. This can be a relative over 40 years old who is able to contribute a certain amount of money to the federal youth employment program\u2026<\/p>\n<h2>How realistic is all this?<\/h2>\n<p>The on-screen vishing is shown quite plausibly, and pretty much all the tricks described are doable in real life. But do attackers really mix them together in such a way? Fortunately, only very rarely. The story of phone malware imitating a call is quite real\u00a0\u2014 see our <a href=\"https:\/\/www.kaspersky.com\/blog\/fakecalls-banking-trojan\/44072\/\" target=\"_blank\" rel=\"noopener nofollow\">post about a similar Trojan<\/a>. But a jammer is more reminiscent of a targeted attack, and is unlikely to be deployed in a mass scheme. Money laundering through currency exchanges could probably happen in Korea, but would be more difficult elsewhere. Using mules to cash out really does work like that. What\u2019s undeniably true is a line uttered at the end of the movie: \u201cMany blame themselves for swallowing the bait, but in fact they were hunted down by smart, calculating predators. But they\u2019ll be caught sooner or later.\u201d<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksos-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Korean filmmakers have made a film about cybercrime that deserves a look \u2014 if only as a training tool. <\/p>\n","protected":false},"author":2598,"featured_media":47294,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[36,1130,4423,4136],"class_list":{"0":"post-47293","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-malware-2","9":"tag-movies","10":"tag-spoofing","11":"tag-vishing"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/on-the-line-korean-movie\/47293\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/on-the-line-korean-movie\/25249\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/on-the-line-korean-movie\/20733\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/on-the-line-korean-movie\/27906\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/on-the-line-korean-movie\/25574\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/on-the-line-korean-movie\/26023\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/on-the-line-korean-movie\/28469\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/on-the-line-korean-movie\/34734\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/on-the-line-korean-movie\/20207\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/on-the-line-korean-movie\/20838\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/on-the-line-korean-movie\/29841\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/on-the-line-korean-movie\/25907\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/on-the-line-korean-movie\/31603\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/on-the-line-korean-movie\/31318\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/movies\/","name":"movies"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=47293"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47293\/revisions"}],"predecessor-version":[{"id":47296,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47293\/revisions\/47296"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/47294"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=47293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=47293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=47293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}