Attacks/Breaches

9/3/2014
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

In China, Cybercrime Underground Activity Doubled In 2013

Forget intelligence gathering. Financially motivated cybercrime is booming behind the Great Wall.

China has become infamous for politically motivated intelligence gathering, but new research from Trend Micro shows that a financially motivated, politically independent cybercrime underground is alive and growing behind the Great Wall, as well.

The new report shows that Chinese cybercrime underground activity doubled between 2012 and 2013. According to Trend Micro CSO Tom Kellermann, it has likely tripled since then.

Further, Kellermann says, these criminals are not just targeting victims in other countries. The targets include "the bourgeois, nouveau-riche Chinese elite who have profited from capitalism" in a country with a dwindling middle class.

The Chinese government "has been focused externally... on information dominance and espionage," Kellermann says. The technological skills cultivated by the country's leaders are coming back to hurt them in the form of new cybercriminals "who are not beholden to the regime. They believe money is God and believe that crime has evolved with technology."

Other recent Trend Micro research shows that the Chinese underground is largely focused on mobile device/services attacks -- Android-based products in particular -- and charges customers a premium for that work.

The most sought mobile crime products and services are SMS spamming, premium service numbers, and SMS servers. SMS spamming is relatively inexpensive, ranging from $50 for 5,000 text messages ro $460 for 100,000 messages. Premium service numbers -- used to subscribe mobile users to unwanted services and charge them a fee for it -- run from $2,500 per year to $36,000 per year. SMS servers -- radio frequency hardware that forces nearby phones to disconnect from legitimate base stations and connect to the attacker's SMS server instead -- cost $7,400.

The reasons for the higher price tags, says Kellermann, are that mobile attacks require more creative code and can offer bigger payoffs. For one thing, mobile payments are more popular in Southeast Asia than they are in the United States, which makes mobile devices more attractive.

"I'd pay more" for mobile attacks, "because I can hack your life," he says. "If the [mobile] device is an extension of yourself, then I can hack you."

In comparison, the most popular nonmobile attack tools are quite affordable. DDoS toolkits can be rented for $81 per month. RAT "licenses" range from $97 to $258 per year, depending on the software. Even the new DNS attack services cost only $323.

The attack products and services appear to be sophisticated and professional. However, the methods the criminal marketplace uses to communicate are not.

The communication tool of choice is QQ groups, a feature of the QQ instant messaging app. Unlike most organized criminals in Eastern Europe, who often rigorously vet customers before working with them, these Chinese groups make themselves quite available to the general public. A simple search of QQ groups turns up results like the "China DDoS and Hacking Service Group."

Download the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/5/2014 | 1:38:05 PM
Re: Very interesting ... not surprising
And anyway Sara well done, the post is very interesting as the choice of the argument.

We must share this data

Regards

Pierluigi
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/5/2014 | 1:36:57 PM
Re: Very interesting ... not surprising
Hi Sara,

experts at TrendMicro already published an excellent report on Chinese Mobile Underground that probably is the segment more prolific in the Chinese black market.

I anticipate you that also Brazilian underground is very prolific ... 

so stay tuned waiting further reports.

Warm regards

Pierluigi
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/5/2014 | 11:52:38 AM
Re: Very interesting ... not surprising
@securityaffairs  I'm glad that you're not surprised by the findings, but I expect that a lot of people WILL be. It seems that many people -- even those in the security community -- are confused by the very idea that there are hackers in China who are motivated by money, not nationalism.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/5/2014 | 4:14:45 AM
Very interesting ... not surprising
The report, as usual, is very interesting and full of precious data. I'm not surprised for the findings of the study, financially motivated attacks will continue to increase also behind the Great Wall.

Chinese underground is very prolific (as the Russian one), and technological evolution of the country will advantage the scaring escalation of criminal activities in China.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.