• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   The Chinese Underground, Part 3: Virtual Assets Theft

The Chinese Underground, Part 3: Virtual Assets Theft

  • Posted on:August 20, 2012 at 12:30 am
  • Posted in:Malware
  • Author:
    Trend Micro
0

This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:

  • Part 1: Introduction
  • Part 2: The Four Value Chains

The full paper can be found here.

Virtual assets – in the form of currency, equipment, or membership in online games – have significant real-world value as well. This is particularly true in China, were online games are a very popular form of entertainment.

Despite this real-world value, laws to protect virtual asset theft are neither well developed nor effectively enforced. Because of this, some members of the Chinese underground prefer to target these kinds of assets rather than real-money items.

The diagram below illustrates the value chain of virtual assets theft in China:

Broadly speaking, the value chain has three phases: first, the login credentials for online games are stolen via malware or phishing. In the next phase, the credentials are used to steal virtual assets such as in-game money, equipment, or even the account itself. Finally, the crime is monetized by selling these in online marketplaces – for real money.

Terminology

The “theme” used for this part of the Chinese underground is “envelope” (xin feng, 信封; or xin, 信). The said term is used to describe the stolen account information. Online web applications used for phishing are described as the “box” (xiangzi, 箱子). The process of stealing any valuable virtual assets from compromised accounts is known as “envelope-washing”, with each of the parties who carry these out known as a “envelope-washing man” (xixin ren, 洗信人). The persons responsible for actually selling the stolen goods are known as “channel traders” (baoxiao shang, 包销商).

The masterminds behind the scheme are known as “Trojan writers” (muma zuozhe, 木马作者) or “Trojan agents” (muma daili, 木马代理). The graph below highlights the relationships of these various players in a typical scam:

The above graph illustrates the case of the Panda burning incense malware (熊猫烧香), which was exposed in 2007. Li served as ringleader and “Trojan writer”, with his accomplice Wang controlling a malicious server where machines infected by the virus Li wrote were directed to. This website traffic was, in turn, purchased by Zhang using a pay-per-install (PPI) scheme. Zhang installed the “Panda” malware (also supplied by Li and Wang) onto these machines, which sent the “envelopes” back to Zhang. “Envelope washing” ensued; the three leading parties ended up pocketing more than 235,000 renminbi – approximately 37,000 US dollars – between them. (Li required assistance from another member of the underground, Lei, to write the code.)

In the next post, we will discuss Internet resources and services abuse in the Chinese underground.


Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Chinese underground

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.