Chinese threat actors have been targeting Chinese-speaking students in the United Kingdom with a unique phone scam that aims to steal their personal information with repeated phone calls and voicemails that are hard for victims or carriers to block.
A group dubbed RedZei — or RedThief — calls victims once or twice a month from a unique UK-based phone number, leaving an "unusual" automated voicemail message if the receiver does not answer, revealed cybersecurity researcher Will Thomas in a blog post published just before the new year.
"I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK," he wrote in his post.
Thomas, who goes by BushidoToken on Twitter, said he's been tracking the campaign for more than a year, and has created a profile for the threat actors based on the calls and voicemails. RedZei chooses its targets carefully, seeming to know that these foreign students would be "a rich victim group that is ripe for exploitation," he wrote in the post.
What's more, once a victim is a target of the scam — which employs social engineering tactics to get students to give up personal information — it's difficult to block future attempts to compromise victims, Thomas said. That's because for each wave of scam calls, RedZei mainly uses a new pay-as-you-go UK-based phone number from one of the main mobile network operators, he explained.
"This essentially renders blocking the scammers phone numbers ineffective," Thomas wrote.
The Scam Itself
Phone call-based scams (aka "vishing" campaigns) are not unique in the cybercriminal world. Threat actors have been known to employ entire call centers to make malicious robocalls in attempts to defraud victims, impersonating banks and other trusted entities. In another version, scammers use emails or some other method of Internet-based contact to convince victims to make a phone call to, say, a bogus "tech support" number, where their personal information is harvested for malicious intent.
The RedZei campaign shares some similar tactics but also puts its own twist on the phone scam. It has used known enterprises, such as the Bank of China or China Mobile (CMLink), in socially engineered campaigns to try to fool the students to give up their personal details. But they use other scams as well, according to Thomas.
"Other themes exploited by RedZei includes the 'abnormal usage of your NHS number' and international parcels being delivered from DHL, which are both common concerns for Chinese students studying in the UK," he said.
Thomas doesn't speak Chinese and did not manage to have all the voicemails associated with the most recent campaign translated. He's posted the voicemails that he could not get verified by Chinese speakers to his SoundCloud account and included a GitHub link for people to use if they can translate the calls.
Difficult to Mitigate
Thomas included a list of numbers associated with the RedZei campaign in his post. The numbers are primarily +44 numbers — the country code for the United Kingdom — with one number from an Irish (+353) carrier and one from a Norwegian (+47) carrier.
O2 is the UK telecom carrier most often associated with the numbers the threat actors use to attempt to compromise victims, while EE and Three are also favored by RedZei. The Ireland-based number used a Tesco Mobile SIM card, while the Norwegian carrier used by the threat group was Telia, according to Thomas.
Just as victims are at a loss to do anything to stop the scam, carriers also are challenged to try to halt the activity because of the frequency with which RedZei changes carriers and thus SIM cards, Thomas noted.
There is also a language barrier, he said. "As the activity is also in Chinese, the carriers are less likely to investigate this campaign [because of the] additional effort required," Thomas wrote.
All in all, this does not bode well for victims of the scam, which won't see relief from the calls anytime soon, he said.
"The RedZei group, and others like it, are therefore effectively operating with impunity and will continue to do so for the foreseeable future," Thomas wrote.