Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Lion Gu (Senior Threat Researcher)

    We first lifted the veil on activities in the Chinese cybercriminal underground in 2012. Since then, we have continually reported about notable changes or activity found in this black market.

    A few months ago, we noted that the Chinese underground has continued to grow, as the cost of connectivity and hardware continues to fall, and with more users with poor security precautions in place. In short, it’s a good time to be a cybercriminal in China.

    One of the more notable features of the Chinese underground is its mobile market. With China’s booming mobile market, there’s little surprise that cybercriminals have begun targeting mobile users.  Some of these underground businesses and services even target mobile users alone. These tools and services are the focal point of my presentation in this year’s AVAR conference in Sydney, Australia.

    Mobile Economy

    One of the products sold in the underground are premium service abusers. These are apps that subscribe users to premium services without their consent or knowledge. As a result, users are charged subscription fees that end up in the hands of malicious app developers.

    While premium service numbers are often assigned to qualified service providers, these numbers are also sold in the underground. Some malicious app developers buy premium service numbers from legitimate service providers and use these for nefarious purposes.

    The underground market also offers services that reflect situations that are unique to China. One prime example would be app rank boosting services. Most mobile users in China rely on third-party app stores for their apps, especially since there is no official app store for Android. In order to boost the rankings of their apps, cybercriminals often create dummy accounts to download and write positive reviews. Users who see these reviews may then be convinced to download the suspicious or malicious apps.

    When people think of spamming services, they assume that cybercriminals simply send messages to all possible numbers. That is not entirely true. Spammers actually filter out unused phone numbers to save time and money. They employ phone scanning services to know the current status of phone numbers, including whether their users are online or not, or if they are still actively used. Phone numbers that pass scanning are called “real numbers” and are targeted by spammers and telephone fraudsters.

    Where Users Go, Cybercriminals Follow

    As the mobile market in China continues to grow, so will the cybercrime threat. Cybercriminals go where their users – and potential profits – are. As the number of users in the Chinese mobile landscape grows, so will the number of users at risk from these threats. This also means that we may see an increase in the variety of threats, so new kinds of threats beyond what we see in the current threat landscape are almost certain to appear.

    By providing an overview of the existing threat landscape, we hope that both users and mobile service providers are able to protect themselves and their networks against these threats.

    Posted in Mobile | Comments Off on Tracking Activity in the Chinese Mobile Underground

    The Chinese underground has continued to grow since we last looked at it. It is still highly profitable, the cost of connectivity and hardware continues to fall, and there are more and more users with poor security precautions in place.

    In short, it is a good time to be a cybercriminal in China. So long as there is money to be made, more people may be tempted to become online crooks themselves.

    How can we measure the growth of the Chinese underground economy? We can look at the volume of their communications traffic. Many Chinese cybercriminals talk via groups on the popular Chinese instant messaging application QQ.

    We have been keeping an eye on these groups since March 2012. By the end of 2013, we had obtained 1.4 million publicly available messages from these groups.  The data we gathered helped us determine certain characteristics and developing trends in the Chinese underground economy.

    First, the number of messages showed that the amount of underground activity in China doubled in the last 10 months of 2013 compared with the same period in 2012. Based on the ID of the senders, we also believe that the number of participants has also doubled in the same period.

    Figure 1. Number of underground-related messages identified on QQ per month

    Figure 1. Number of underground-related messages identified on QQ per month

    Cybercriminals are also going where the users are. Many of the malicious goods being sold in the underground economy are targeted at mobile users, as opposed to PC users. A mobile underground economy is emerging in China (something we noted earlier this year), and this part of the underground economy appears to be more attractive and lucrative than other portions.

    Our latest paper in the Cybercrime Underground Economy Series titled The Chinese Underground In 2013 contains the details of these findings related to QQ, as well as other updates dealing with the Chinese underground.

    Posted in Mobile | Comments Off on The Chinese Underground In 2013

    The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone in 2013. The CNNIC also reported that China ended 2013 with 618 million Internet users and 500 million mobile Internet users.

    This change in user behavior is affecting the cybercriminal underground. Cybercriminals are now more likely to target mobile users, with some “businesses” in the cybercrime underground economy that are specifically aimed at mobile users. One particular business that has found success inside China is sending SMS spam.

    Just as email has been abused by spammers for many years, mobile users are now receiving large amounts of SMS spam as well. Like their email counterparts, SMS spam is used to advertise various products as well as lead users to malicious sites. Sending these messages is cheap, too: sending 100,000 messages can cost only about $450.

    One way SMS spam is sent to these users is using a GSM modem. These modems are devices which, when attached via USB to a PC, can send out text messages to multiple users in a very small amount of time. The device is controlled using an application on the PC. Basic devices will have only one SIM card, but more advanced versions (also known as a GSM modem pool) will use multiple antennas and SIM slots to send SMS messages more quickly. A 16-slot GSM modem pool (like the device below) can send up to 9,600 text messages per hour. They are available for approximately $425 each.

    Figure 1. A GSM modem with 16 SIM card slots

    Other tools that can be used Internet short message gateways. These are devices provided by mobile carriers to allow service providers to send large numbers of text messages. Alternately, a “SMS server” can also be used; These use a software-defined radio (SDR) to impersonate a cellular base station; when phones connect to this “base station” they instead all receive SMS spam.

    Sending spam is only the tip of the iceberg when it comes to these threats. My paper titled The Mobile Cybercriminal Underground Market in China examines similar products, as well as other items for sale in the Chinese cybercriminal underground. The paper offers an overview of some of the basic underground activities in the China mobile space, as well as some of the available products, services, and their respective prices.

    Posted in Bad Sites | Comments Off on The Mobile Cybercriminal Underground Market in China

    The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.

    Gathering knowledge about the Chinese underground economy is not particularly difficult, but does pose some challenges. The sites and markets that make up this underground economy are not visible to the public, but are hidden in forums and QQ chat groups. While many underground economies are organized via underground forums, the use of QQ chat groups is unique to China. These sites use their own jargon to name and describe their groups, but cybercriminals familiar with their jargon can easily find what they want.

    In some ways, the Chinese underground is similar to other legitimate economies: it offers a wide variety of products and services at a variety of price points. The services offered include:

    • Distributed Denial of Service (DDoS) kits and servers
    • Remote Access Tools (RATs)
    • Detection evasion services
    • Compromised webhosts
    • Phishing kits
    • Stolen user information
    • Webshells

    In all of these cases, a robust and healthy ecosystem exists, with cybercriminals being able to purchase their chosen product at a variety of price points.

    For example, for denial of service attacks, cybercriminals can choose to rent dedicated servers to mount more large-scale attacks. A modest Atom-based server can cost 599 RMB (US$98.50) a month; a more powerful Xeon server with a 1Gb/s connection can cost 2100 RMB (US$345) a month.

    The variety of prices is most evident in the sale of webshells, scripts that allow an attacker to maintain control over a compromised site. Sites with low page rankings on Baidu and Google can cost around 220-300 RMB (US$36-49) for a bundle of 270 sites; sites with higher page ranks can go for as much as 999 RMB (US$164).

    We hope that this paper will help readers understand the Chinese underground, in order to understand the kind of threats that users are likely to face from these threat actors and prepare the necessary defenses accordingly.

    Posted in Malware | Comments Off on A Tour Through The Chinese Underground

    With Android’s steady growth in the US market and other parts of the world, it’s no surprise that the Android OS is also becoming more and more popular in China. Many users choose to use Android-based devices because of their powerful functions, various phone types, reasonable prices, and plenty of applications. A consequence of this wide-spread usage is that the Android OS is now the second-largest smartphone OS in China.

    This growth of Android users in China, however, seems to do little for the rocky relationship between Google and the Chinese government. It has been reported that access to the Google Android Market has been intermittent since 2009 (Access to the Android Market was last reported blocked in October, but was unblocked again three days after).

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice