Monday, 23. November 2015

Prototype Nation: Emerging Innovations in Cybercriminal China

Cybercrime doesn’t wait for anything or anyone. Two years after publishing our last report on the wares and services traded in the bustling Chinese underground, we found that the market’s operations have further expanded. From traditional malware, Chinese cybercriminals are now looking toward newer innovations and technologies to boost their operations.

The Chinese underground now

Our past explorations of the Chinese underground showed how quickly cybercriminals had adapted to technological advancements and trends. 2015 was no different, as evidenced by offerings like data dumps (either leaked or stolen) traded underground as well as new hardware like point-of-sale (PoS) and automated teller machine (ATM) skimmers for sale. The existence of these offerings shows just how well the underground has kept up with events in the real world.

Cybercriminals in China have made it easier for anyone to search for data dumps in the underground. CnSeu is an example of a forum used for trading leaked data. Anyone can buy and sell leaked data with forum coins or credit points that can be purchased on Alipay with corresponding amounts in RMB (RMB 1 = 10 forum coins = ~US$0.16).

While forums have been keeping cybercriminals connected with one another, the bad guys have managed to come up with even more ways to offer stolen data. They’ve built SheYun, a search engine specifically created to make leaked data available to users. SheYun has a government database that lets its users query information. Ironically, it also has a privacy-protection feature for those who wish to prevent their own data from appearing as search results.

Figure 1. SheYun’s search database contains leaked data ranging from bank account credentials to poker account information

Carding devices like PoS and ATM skimmers are also offered at fairly reasonable prices. PoS skimmers sold underground have an SMS-notification feature. This grants cybercriminals greater flexibility and convenience, allowing them to instantly get their hands on stolen data via SMS every time the tampered devices are used. It frees them from physically collecting stolen information. These skimmers can sell for US$788 while ATM skimmers cost US$1,261.

Also sold are mass-produced pocket skimmers or small magnetic card readers that can store track data from up to 2,048 payment cards. These do not need to be connected to a computer or even require an external power supply to function. Any unscrupulous store staff member can, for instance, swipe an unwitting customer’s card on a pocket skimmer in order to steal credit card data and later use it for fraud. Pocket skimmers sell for US$142.

Figure 2. Typical modus operandi that PoS skimmer sellers use


A reflection of the times

Two years is plenty of time in the Chinese cybercriminal underground. Since our last report on the wares and services traded in this bustling marketplace, its operations have further expanded. These new hardware and channels have gone beyond being mere proofs of concept, turning into working models that drive the cybercrime trends in China today.

An in-depth look at our investigations into this cybercrime community can be found in our paper, Prototype Nation: The Chinese Cybercriminal Underground in 2015. This investigation is part of our Cybercriminal Underground Economy Series (CUES), which looks at various online communities of cybercriminals.