Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    This is part of a series of blog posts discussing the Chinese underground; the introductory post can be found here. The full paper can be found here.

    Broadly speaking, the Chinese underground operates with four distinct but inter-related value chains. These are:

    1. Real money theft
    2. Virtual assets theft
    3. Internet resources and services abuse
    4. Blackhat techniques, tools, and training

    We’ll discuss each chain in its own separate blog post. For know, we will concentrate on the first: real money theft.

    More and more users in China are participating in online commerce. 37.8% of Chinese Internet users, or 194 million users, have engaged in online shopping by late 2011. 167 million and 166 million users took part in online payment and online banking systems. This large volume of users engaging in commerce online, using real money and real goods, has attracted large numbers of cybercriminals.

    Broadly speaking, the chain for real money theft in China is not too different from those elsewhere, as seen in the chart below:

    There are many similarities between real money theft elsewhere and in China. Phishing, info-stealing malware, identity theft, and information theft are all part and parcel of information theft syndicates elsewhere. Similarly, the profit methods are not particularly different: money transfers and fake credit cards are to be found in prominence as well.


    What particularly distinguishes the Chinese underground from other countries is its use of its own unique terminology. Stolen credentials are referred to as “materials” (liao, 料). “Materials” that contain encrypted banking information is referred to as “track material” (gui dao liao, 轨道料) or “track” (gui dao, 轨道). By direct analogy, persons involved in buying and selling these “materials” are known as “material masters” (liaozhu, 料主).

    The “material” theme continues to the money laundering phase, which is known as “material washing” (xi liao, 洗料). A money launderer is known as a “material washing man” (xi liao ren, 洗料人). The process of manufacturing and using fraudulent cards using ATM machines or POS terminals is known as “cargo unpacking” (shua huo, 刷货). The persons who actually withdraw money from ATMs are known as “car drivers” (che shou, 车手); they act under the control of a “car master” (che zhu, 车主).

    A good example of this particular value chain can be found in the TopFox case, which was exposed in 2008-2009. The principal suspect of the case was a malware author nicknamed TopFox, who also acted as this scheme’s “material master”. Three different “material washers” were involved in monetizing the stolen “materials”: one participated in credit card fraud, a second “washer” paid a blackhat hacker to remove transfer limits from accounts and promptly transferred funds from the stolen accounts. The third “washer” was in contact with a “car master” and his associated “drivers”. The full relationship of these different operators can be seen in the following graphic:

    None of the criminals knew each other personally; they only met online and only saw each other in person after their arrests by Chinese law enforcement. The Internet allowed these criminals for a loosely organized cybercrime gang to organize, communicate, and coordinate their activities. It is estimated that they made more than 1.4 milllion renminbi in illegal profits (more than 220,000 US dollars at current exchange rates.)

    In the next post, we will discuss other value chains in the Chinese underground.

    Coming Soon: The TrendLabs Security Intelligence Blog is the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice