Suspicion is growing following a string of late-night micro-payment fraud cases targeting KT subscribers in Korea, as cases of unauthorized payments continue to increase and the methods used by the perpetrators remain unclear.

According to police and KT on September 9, the incidents have been concentrated in Gwangmyeong, Gyeonggi Province, and Geumcheon-gu, Seoul, occurring mostly during the early morning hours from late last month into early this month. As of now, the exact method of the attacks has not been determined.

While the initial suspicion centered on smishing tactics—malicious apps containing hidden malware—no evidence has emerged to support this theory. Instead, some victims have testified that both their PASS authentication app and KakaoTalk accounts were manipulated without their knowledge, raising new concerns.

According to the authentication history of one victim, there was a record of SMS authentication on a gift certificate website at 4:09 a.m. on August 27, but the victim never actually received an authentication text message. Security experts note that this situation may indicate that the attackers found a way to bypass the standard verification system, rather than simple payment fraud.

A security specialist commented, “If no SMS was received, it’s very likely that ARS (automated voice response) authentication was used, which is hard to accomplish without a cloned phone.” Kakao also informed affected users, “A new KakaoTalk registration was made using your mobile number, and ARS authentication was completed successfully.”

However, skepticism remains about the cloned phone hypothesis. Another insider from the security industry explained, “Cloning a phone requires copying the USIM card and obtaining a wealth of personal information, making it a difficult method in reality.” Further muddying the waters, the victims reportedly opened their mobile accounts through a wide range of channels, further reducing the likelihood of a single method such as phone cloning being the cause.

Additionally, mobile operators have implemented “Fraud Detection Systems” (FDS) that block abnormal authentication attempts, such as when a new device connects using the same phone number, further complicating any efforts to use cloned phones.

Another security expert suggested that advanced tactics such as base station hacking or man-in-the-middle (MITM) attacks could be involved, but remarked, “It seems questionable that such sophisticated techniques would be used for mere small-payment fraud.”

A telecommunications industry representative also questioned the operation, saying, “If the payments were made for gift certificates, the process of converting them to cash would leave records, and tracking IP addresses isn’t difficult.” They added, “While the methods used to commit the fraud seem sophisticated, the cash-out process is so simple that it raises further doubts.”

Currently, the Cyber Investigation Unit of the Gyeonggi Nambu Provincial Police Agency is investigating multiple possibilities, including the hacking of mobile repeaters, and is conducting a broad investigation into telecommunications providers, payment intermediaries, and product retailers.

To curb additional damage, KT lowered the payment limit for gift certificate transactions from 1 million won to 100,000 won on September 6, and announced that, “Based on customer reports, we are taking preemptive measures to prevent any unauthorized payments from being processed.”

Note “This article was translated from the original Korean version using AI assistance, and subsequently edited by a native-speaking journalist.”

Photo=Yonhap News