Friday 26 September 09:30 - 10:00, Red room
Kyung Rae Noh (Korea Internet & Security Agency), Shinho Lee (Gachon University), Eui-Tak Kim (Gachon University), Yujin Shim (Korea Internet & Security Agency), Jonghwa Han (Korea Internet & Security Agency) & Jung-Sik Cho (Korea Internet & Security Agency)
In response to the rapidly increasing cyber threat landscape, the early detection of attack indicators and timely identification of attackers' objectives and targets have become increasingly critical. The Korea Internet & Security Agency (KISA) previously faced limitations with individually operated threat detection systems, including difficulties in correlating collected data for in-depth threat analysis and significant dependency on specialized personnel. To overcome these limitations, KISA's Digital Incident Detection Team initiated the Cyber Spider project in 2022. This system integrates normalized data collected from various detection systems into a centralized Data Lake, enabling automated correlation analyses to proactively detect and respond to emerging cyber threats.
This paper presents an analysis of malicious URL patterns associated with smishing attacks, based on data mining and tracking of 10,358,700 smishing-related data points (including SMS message contents, phishing URLs, and malicious app distribution URLs) collected by Cyber Spider in 2024. Analysis of main domains revealed that a substantial proportion were generated by Domain Generation Algorithms (DGAs), particularly combined with typosquatting techniques targeting legitimate domains belonging to financial institutions or public sector organizations to exploit user trust. We define this hybrid attack method as Registered Typosquatting Domain Generation Algorithms (RT-DGAs).
RT-DGA-generated domains accounted for approximately 34.9% of all smishing-related data collected in 2024 and consistently exhibited identifiable patterns and regularities in their subdomain and path structures. Additionally, we observed a notable tendency among attackers to concentrate domain registrations on specific Top-Level Domains (TLDs), indicating a deliberate strategy to evade detection through systematically generating and registering modified versions of legitimate domain keywords.
Our analysis of 214 Name Servers (NS) hosting these malicious domains revealed that 87.45% were heavily concentrated within one particular Internet Service Provider (ISP), highlighting a critical point for targeted mitigation strategies. Unlike traditional randomly generated DGAs, RT-DGAs create human-readable domain names that attackers actively register and leverage to distribute malicious content. These characteristics significantly complicate detection by conventional DGA detection models and further increase the likelihood of evading traditional blacklist-based detection and mitigation systems.
Finally, this paper classifies recent smishing attacks in South Korea by social engineering impersonation types – including financial institutions, public sector organizations, funeral notices, wedding invitations, and parcel delivery notifications – and provides detailed insights and temporal trends into malicious app distribution domains associated with each attack type. Additionally, correlation analyses based on collected NS information, ISP affiliations, subdomain structures, and path patterns have identified commonly utilized NS URLs for each phishing category. We propose a preventive strategy leveraging daily NS domain records collected by Cyber Spider, applying predefined subdomain and path pattern combinations to proactively block future phishing attacks and establish reliable predictive indicators for enhanced cybersecurity.
 |
Kyung Rae Noh Kyung Rae Noh received his Master's degree in big data from Sungkyunkwan University and currently works as a cybersecurity analyst on the Digital Incident Detection Team at the Korea Internet & Security Agency (KISA, KrCERT/CC). He has been instrumental in developing and operating detection systems designed to uncover and mitigate hidden malicious activities (malware distribution, phishing, and web defacements) embedded within South Korea's websites, significantly contributing to preventing the spread of web-based cyber threats nationwide. His current research focuses on analysing phishing, smishing, and malicious-app distribution domains collected through the Cyber Spider project, aiming to predict and detect malicious domains proactively.
|
 |
Shinho Lee Shinho Lee is a Ph.D. student in the Department of Information Security at Gachon University. Over the past ten years, he has conducted research related to information security, such as attack group tracking, malware-related group analysis, malware similarity research, and network traffic packet analysis. Currently, he is interested in the prediction and detection of malicious attacks.
|
 |
Eui-Tak Kim Professor Eui-Tak Kim received his Ph.D. in computer engineering from Chungbuk National University in South Korea, with a dissertation on the development of an efficient anti-virus system in cloud environments. He served as the Head of Research at two of South Korea's three major computer antivirus companies: Hauri Inc. and ESTsecurity Corp. During his tenure, he contributed to the advancement of endpoint cybersecurity in Korea by leading the development of technologies such as malware detection, anti-virus systems, threat intelligence platforms, and secure operating systems. Currently, his research focuses on utilizing artificial intelligence and various cybersecurity technologies to detect malware and hidden malicious websites on the web.
|
 |
Yujin Shim Yujin Shim has a Master's degree in network security from Hanyang University in South Korea. He joined KISA (Korea Internet & Security Agency) in 2016 and has been working as a researcher since then. He has experience in developing various malware detection systems and is currently responsible for the development and operation of the Cyber Spider project.
|
 |
Jonghwa Han Jonghwa Han is a researcher at the Korea Internet & Security Agency (KISA). At KrCERT/CC, he has contributed to cyber incident detection and response, including the design, development, and operation of Cyber-Spider's data lake, analytics platform, and large-scale honeynet systems. He has also conducted analysis of diverse incident datasets and CVE vulnerabilities. He is currently with KRNIC, the National Internet Registry (NIR) of Korea, where he is involved in planning and executing initiatives to ensure the security of Internet address resources.
|
 |
Jung-Sik Cho Jung-Sik Cho received a Ph.D. in information security engineering from Chung-Ang University in Korea and currently serves as the Head of the Digital Incident Detection Team at KrCERT/CC, Korea Internet & Security Agency (KISA), and is leading various projects aimed at detecting and responding to cyber attacks. |
Back to VB2025 conference page