Friday 26 September 09:30 - 10:00, Red room
Kyung Rae Noh (Korea Internet & Security Agency), Shinho Lee (Gachon University), Eui-Tak Kim (Gachon University), Yujin Shim (Korea Internet & Security Agency), Jonghwa Han (Korea Internet & Security Agency) & Jung-Sik Cho (Korea Internet & Security Agency)
In response to the rapidly evolving cyber threat landscape, both the early detection of attack indicators and the timely identification of attackers' objectives and targets have become increasingly critical. The Korea Internet & Security Agency (KISA) previously faced challenges in performing in-depth threat analyses and correlation across the data collected by individually operated detection systems, which also placed significant reliance on specialized personnel. To overcome these limitations, KISA's Digital Incident Detection Team launched the Cyber Spider project in 2022. This project integrates normalized data from various detection systems into a centralized Data Lake and performs automated correlation analyses to proactively detect and respond to emerging cyber threats.
This paper presents an analysis of malicious URL patterns exploited in smishing attacks, based on pattern mining and tracking of 10,358,700 smishing-related data points – including SMS message content, phishing URLs, and malicious app distribution links – collected by Cyber Spider in 2024. The analysis of these URLs revealed that attackers often target users' trust by impersonating legitimate domains of financial institutions and public organizations. A substantial portion of these domains exhibited patterns similar to Registered Domain Generation Algorithms (RDGAs) combined with brand-squatting techniques. In this paper, we define this hybrid attack technique as Registered Domain–Brand Squatting URLs (RD-BSUs).
Domains generated using RD-BSUs accounted for approximately 34.9% of all smishing-related data collected by Cyber Spider in 2024. These domains consistently exhibited recognizable patterns and regularities in their subdomain and path structures. Furthermore, some attacks showed a clear tendency to concentrate registrations on specific Top-Level Domains (TLDs), indicating a deliberate strategy to systematically generate and register keyword-modified versions of legitimate domains in an attempt to evade detection.
An analysis of the 214 name servers (NS) hosting these malicious domains showed that 87.45% were concentrated on a single provider, highlighting a critical point for targeted mitigation strategies. Unlike traditional DGAs that generate purely random domains, RD-BSUs produce human-readable domains that attackers actively register and use to distribute malicious content. These characteristics make detection by conventional DGA detection models significantly more difficult and increase the likelihood of evading blacklist-based countermeasures.
This paper categorizes recent smishing attacks in South Korea by social engineering impersonation types – including financial institutions, government agencies, funeral notices, wedding invitations, and parcel delivery notifications – and provides detailed insights and temporal trends of malicious app distribution domains associated with each type. Additionally, we present a correlation analysis of the collected NS data, subdomain, and path structures to identify and trace the key name servers most frequently used for malicious domain registrations. Finally, we propose a proactive countermeasure that applies predefined subdomain and path pattern combinations to gTLD and ccTLD (.kr) domains collected daily through Cyber Spider, enabling the early detection and prevention of future phishing attacks.
 |
Kyung Rae Noh Kyung Rae Noh received his Master's degree in big data from Sungkyunkwan University and currently works as a cybersecurity analyst on the Digital Incident Detection Team at the Korea Internet & Security Agency (KISA, KrCERT/CC). He has been instrumental in developing and operating detection systems designed to uncover and mitigate hidden malicious activities (malware distribution, phishing, and web defacements) embedded within South Korea's websites, significantly contributing to preventing the spread of web-based cyber threats nationwide. His current research focuses on analysing phishing, smishing, and malicious-app distribution domains collected through the Cyber Spider project, aiming to predict and detect malicious domains proactively.
|
 |
Shinho Lee Shinho Lee is a Ph.D. student in the Department of Information Security at Gachon University. Over the past ten years, he has conducted research related to information security, such as attack group tracking, malware-related group analysis, malware similarity research, and network traffic packet analysis. Currently, he is interested in the prediction and detection of malicious attacks.
|
 |
Eui-Tak Kim Professor Eui-Tak Kim received his Ph.D. in computer engineering from Chungbuk National University in South Korea, with a dissertation on the development of an efficient anti-virus system in cloud environments. He served as the Head of Research at two of South Korea's three major computer antivirus companies: Hauri Inc. and ESTsecurity Corp. During his tenure, he contributed to the advancement of endpoint cybersecurity in Korea by leading the development of technologies such as malware detection, anti-virus systems, threat intelligence platforms, and secure operating systems. Currently, his research focuses on utilizing artificial intelligence and various cybersecurity technologies to detect malware and hidden malicious websites on the web.
|
 |
Yujin Shim Yujin Shim has a Master's degree in network security from Hanyang University in South Korea. He joined KISA (Korea Internet & Security Agency) in 2016 and has been working as a researcher since then. He has experience in developing various malware detection systems and is currently responsible for the development and operation of the Cyber Spider project.
|
 |
Jonghwa Han Jonghwa Han is a researcher at the Korea Internet & Security Agency (KISA). At KrCERT/CC, he has contributed to cyber incident detection and response, including the design, development, and operation of Cyber-Spider's data lake, analytics platform, and large-scale honeynet systems. He has also conducted analysis of diverse incident datasets and CVE vulnerabilities. He is currently with KRNIC, the National Internet Registry (NIR) of Korea, where he is involved in planning and executing initiatives to ensure the security of Internet address resources.
|
 |
Jung-Sik Cho Jung-Sik Cho received a Ph.D. in information security engineering from Chung-Ang University in Korea and currently serves as the Head of the Digital Incident Detection Team at KrCERT/CC, Korea Internet & Security Agency (KISA), and is leading various projects aimed at detecting and responding to cyber attacks. |
Back to VB2025 conference page