“On the Line”: a movie about vishing

Korean filmmakers have made a film about cybercrime that deserves a look — if only as a training tool.

Detailed description of cybercrime: vishing, spoofing, money laundering, malware.

Ever seen a movie adaptation of a cybersecurity glossary? I did recently, to my surprise. The South Korean film On the Line (original title: Boiseu; lit. Voice, and no, it’s not the movie with the same name starring Mel Gibson) is undoubtedly an action movie. At the same time, it contains such a concentration of cybercrime that you could almost recommend it as a textbook on information security. The consultants hired by the filmmakers seem to know their stuff.

“On the Line” as an almanac of cybercrime

The main storyline is built around voice phishing, or vishing. But the protagonist, ex-cop turned foreman Han Seo-joon, also encounters numerous other scam techniques. Let’s put the action aside and focus instead on the cyber-incidents (in chronological order).

Cell phone jamming

An intruder enters a construction site and hides a device with several antennas in a bag of building supplies. As we find out later, this is a jammer for blocking cell phone signals. The device jams the frequencies on which cell phones operate, preventing all mobile communications in the coverage area. And it soon becomes clear why the criminals are jamming the signal: to pull off a vishing attack.

Malware-infected phone

Seo-joon’s wife runs a small cafe. She receives a spam message on her phone about a small business-support program that supposedly grants a subsidy on utility bills for companies with under five employees. By tapping the link she installed malware on her phone that gave the criminals access to all her messages, call logs, and personal data, and let them redirect calls from her phone to their own numbers.

Vishing (scenario 1)

Next, the vishing attack begins in earnest: she receives a call from someone who introduces himself as a lawyer and says there’s been an accident at the construction site resulting in Seo-joon having been detained and charged. She immediately tries to call her husband, but can’t get through because of the jammer; she assumes his phone is off or out of range. She dials the number of the construction site, and a voice tells her that an accident has occurred: a worker has died and the foreman is in police custody. This is where the malware comes into play: the call has been forwarded, and she is talking to the criminals.

Shortly after the phone rings again. This time, someone purporting to be from the Busan Central Police Department informs her that Seo-joon has been arrested in connection with a construction site accident, and she can visit him at the criminal detention center.

The “lawyer” calls again and argues persuasively that, if the case goes to court, Seo-joon will be found guilty and likely go to jail. The only way to avoid this is to pay compensation. In a state of panic, the wife transfers all her savings to the account of the alleged law firm.

Quick withdrawal

On screen we see the scammers’ banking interface as someone splits up the money and deposits it into seven accounts. Next, people armed with documents and bank cards withdraw the cash at various branches. By the time the woman discovers she’s the victim of fraud and runs to the nearest banking office, the money is no longer in her accounts. And it’s gone for good.

Vishing (scenario 2)

It turns out the jammer wasn’t planted only for the sake of one victim’s savings. The head of the construction company says he too was hoodwinked and has lost a much more significant sum from the payroll account. An “insurance company” called and offered a 50% discount on family insurance for builders. The overly trusting boss sent the unknown callers not only money, but also the personal data of all his employees. And the cell signal was jammed at the very moment when he realized the call was not from insurers.

Money laundering through currency exchanges

The police explain to the victims that the money cannot be returned, because it has been laundered through a network of currency exchanges (actually a money transfer service). In other words, the criminals deposit Korean won in Korea, and withdraw Chinese yuan in China.

Mules for hire

The criminal who planted the jammer on the construction site runs a “travel agency”. In reality the travel agents are folks from the provinces looking to earn a quick buck. They are brought in, spruced up, and sent to the banking offices to cash out the stolen funds. Judging by an off-the-cuff remark, the plan is to engage each person in the cash out scheme two or three times.

Poker site with a dummy account

To figure out what’s going on, Seo-joon turns to an expert hacker he knows. At that moment, she is being pressured by petty criminals after contracting to create an online poker site, but then secretly connected it to her own account — apparently to siphon off money lost by players (or at least some of it).

Mass spoofing device

The hacker explains exactly how attackers are able to call victims’ phones from fake numbers: by using devices installed in ordinary residential apartments to spoof phone numbers.

Trading personal data

Seo-joon breaks into the office of a certain Mr. Park, who runs this criminal business in Korea. There he witnesses documents and cards being packaged, clearly to be given to the mules. What’s more significant is that someone in the office is selling stolen personal data: databases of microcredit debtors, department store customers, golf club members, and luxury property clients.

Unauthorized access to personal data

Using fake documents, Seo-joon tries to gain the trust of the heads of the criminal network in China. It turns out that the villains have access to the Korean police database and even bank payment histories. Testing Seo-joon’s claimed identity, they ask him questions about his purchases. Luckily, his hacker acquaintance who supplied him with the false documents had the foresight to make him learn a cover story.

Vishing (scenario 3) — the criminals’ perspective

Seo-joon finds a job in a call center and observes how a group of scammers tries to get someone else to part with their money. Pretending to be cybercrime investigators from a bank, they claim the victim’s account is being used for fraudulent purposes, for which he could be prosecuted as an accomplice. If he knows nothing about it, it means his identify has been stolen and he must contact the financial control department. The victim, suspecting something is amiss, tries to contact the bank to block the account. But his phone is infected with the same Trojan that redirects the call back to those same criminals, who convince him it will take two hours to block the account, and only the financial control department can provide urgent assistance. Fortunately, Seo-joon manages to sabotage the scheme.

Vishing scriptwriters

In search of the vishers, Seo-joon infiltrates their operation and observes how they create their schemes. It’s serious work: the fraudsters do market research, find vulnerable groups of people, and develop scenarios for each of them. The head “scriptwriter” explains that vishing is based on empathy — they exploit not stupidity and ignorance, but fears and desires.

Vishing (scenario 4)

The scammers come up with a whole new playbook. Somewhere they get hold of a list of job seekers who have had interviews with a large firm. The criminals call everyone on the list and inform them that they were accepted as employees. Before starting work, however, they must comply with a few formalities: undergo a medical, a credit check, and give details of a guarantor. This can be a relative over 40 years old who is able to contribute a certain amount of money to the federal youth employment program…

How realistic is all this?

The on-screen vishing is shown quite plausibly, and pretty much all the tricks described are doable in real life. But do attackers really mix them together in such a way? Fortunately, only very rarely. The story of phone malware imitating a call is quite real — see our post about a similar Trojan. But a jammer is more reminiscent of a targeted attack, and is unlikely to be deployed in a mass scheme. Money laundering through currency exchanges could probably happen in Korea, but would be more difficult elsewhere. Using mules to cash out really does work like that. What’s undeniably true is a line uttered at the end of the movie: “Many blame themselves for swallowing the bait, but in fact they were hunted down by smart, calculating predators. But they’ll be caught sooner or later.”