This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:
- Part 1: Introduction
- Part 2: The Four Value Chains
- Part 3: Virtual Assets Theft
- Part 4: Internet Resources And Services Abuse
- Part 5: Blackhat Techniques, Tools, and Training
The full paper can be found here.
Now that we’ve discussed the architecture of the Chinese underground, we can look at its size and scale: namely, how much money is being made.
How Much Money?
With the knowledge of the four value chains in mind, it is possible to look at publicly reported numbers of cybercrime loss, match these to parts of the Chinese underground, and get a reasonable estimate for the total losses to users in China in 2011.
Unsurprisingly, targeting banks and other financial institutions directly for theft is the most profitable. The authors estimate that losses at banks due to information theft (primarily phishing) totals 67 million US dollars. Losses at third-party payment services were even larger however – these were estimated at 262 million US dollars.
The take from stealing virtual assets from online games is similarly impressive. The estimate for losses here total 225 million US dollars. While the losses per user are believed to be relatively small, this was made up for in volume, with an estimated 3.84 million users suffered losses in 2011.
In the area of abused resources and services, it was more difficult to gather precise estimates due to the variety of potential ways that attackers can profit. By focusing on just three aspects, however, the authors were able to get a good estimate: compromised hosts (71 million US dollars), infected mobile devices (157 million US dollars), and hacked websites (70 million US dollars).
How Big Is It?
To get an in-depth view of the communications in the Chinese underground, the authors examined two common communication methods used: Baidu web forums and QQ chat groups.
Baidu web forums are organized as “post bars”, with all forums operated by Baidu known collectively as the Baidu Post Bar. Each post bar is accessed by entering a keyword into the Baidu site; if the bar has not been created previously it is created at that time. Using 84 known keywords from the four value chains, 129 post bars dedicated to cybercrime were discovered, with 23 more post bars discovered that had already been banned by Baidu itself.
QQ chat groups, meanwhile, are private groups that use the QQ instant-messaging application to communicate with each other. While these groups are private in nature, they advertise for new members on publicly available forums. The researchers were able to find 2,738 chat groups dedicated to cybercrime. Due to resource constraints, they joined only the 130 largest groups.
From this considerable amount of data, the researchers were able to gather a significant amount of data and make a significant number of findings about the underground, the persons inhabiting it, and the connections within it. We’ve put some of the findings in this blog post; the full findings can be found in the paper itself.
Based on the Baidu data, the number of posts and participants has gone up every year since 2004. The only year which showed any slowing of growth was 2009, which saw almost no growth in the number of posts from the previous year. This may be attributed to anti-cybercrime legislation which passed in February 2009, as well as other law enforcement efforts in that year. As of 2011, there were more than 90,000 unique participants in the Chinese underground economy.
Within any given year there is also a pattern of activity. January and February have relatively little activity, perhaps due to the Chinese New Year holiday. Traffic peaks from the June to August period, which is also the summer holiday of schools. It is possible that increased usage of online gaming and shopping during this time increases the amount of criminal activity as well.
By looking at the ads (both for-sale ads and want-to-buy ads) posted, it is possible to see which aspects of the underground are in high demand. Some parts of the underground have plenty of both – some aspects like bank information, compromised hosts, and malicious Trojans for sale fall in this category. However, in almost all cases, the number of for-sale ads exceed want ads. The two notable exceptions are blackhat training and website traffic, both of which have more want-to-buy ads than for sale ads.
The information gathered in this study provides significant insight into the nature of the Chinese underground community. Information from cybercrime underground communities has proven invaluable to Trend Micro threat researchers in providing timely threat intelligence that helps provide solutions and protection for users all over the world.
For the full details of this research paper, readers may download the full paper titled Investigating China’s Online Underground Economy.