The online underground in China: Part 1

By | August 23, 2012

Posted in: Network Security Trends

China is a source of advance persistent threats, a source of espionage and intrigue. Cloak and dagger stuff. But it is also where there is a burgeoning online underground, which is hard to quantify, harder to control and enjoys a great deal of freedom despite efforts to crack down on it. For the first time, a report analyzes this underground, find out how it works and quantify it .

The Chinese underground caused, by conservative estimates, some 5.36 billion RMB, or $852 million in U.S. dollars damage in 2011. It involves over 90,000 people. It's the largest community of Internet users on earth. There were 513 million Internet users in December 2011, 356 million by mobile phone. The number of communications and online entertainment users has exceeded 300 million, while eCommerce applications users total some 160 million.

A 2012 Tencent QQ report of 2000 Internet users showed that 45.5% have experienced theft of IM accounts and 32% had hacked game accounts. Phishing messages have also increased, resulting in hijacked payments (5.8%) and stolen online bank accounts (5.6%).

The four value chains are:


  • Theft of real assets: Money from stolen bank accounts or credit cards

  • Network virtual assets: Stealing virtual currency or equipment from online gaming accounts and selling them for real money

  • Internet resources and services abuse: Taking advantage of hacked Internet resources (hosts, servers, infected smart phones)

  • Blackhat techniques, tools and training: Selling Trojans and attack tools to provide technical support for cyber criminals and training services to “newbies”

The theft of real assets involves primarily the theft of login credentials using phishing and Trojans. After they steal the money, they move to the money-laundering phase. They may simply sell the information on the underground market, or they may impersonate the victim to transfer money or manipulate the stocks for real assets.

They apply for fake IDs, withdraw the cash from an ATM or perform fraud through point of sale.

As an example, the TopFox case is typical. One participant wrote and executed the Trojan TopFox, stealing thousands of user names and passwords. Another person purchased the authentication information  and transferred it to another, who found someone to create counterfeit ID cards and bank cards. He in turn hired several individuals to make withdrawals from the bank accounts.

The case is typical. The individuals never met each until they entered the court room. They communicated solely via the Internet, and paid out fees to all participants, including  Blackhat services.

China’s video game and online entertainment has grown hugely popular over the last decade, but the “gear” causes a problem in cyber crime. The gear is assembled either through spending real money or accumulating it over time through much effort. In a sense it has real value that cyber criminals can turn to profit. But courts have been slow to recognize the value and the cyber criminals have taken advantage by seizing the opportunities in this legal “gray area.”

The cyber thieves steal authentication credentials using phishing and Trojan techniques. Then they log in and steal virtual assets – virtual currency and game gear. They then earn real money by selling the stolen assets to game players on the online markets.

A famous example of this type of crime was the “Panda burning incense,” after the Panda virus. The gang wrote and then installed the Trojans on many hosts, securing the information via email. The gang then sold the logins downstream, where others used them to steal the assets and sell them to eager buyers.

You May Also Be Interested In: