Tweet

This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:

The full paper can be found here.

Virtual assets – in the form of currency, equipment, or membership in online games – have significant real-world value as well. This is particularly true in China, were online games are a very popular form of entertainment.

Despite this real-world value, laws to protect virtual asset theft are neither well developed nor effectively enforced. Because of this, some members of the Chinese underground prefer to target these kinds of assets rather than real-money items.

The diagram below illustrates the value chain of virtual assets theft in China:

Broadly speaking, the value chain has three phases: first, the login credentials for online games are stolen via malware or phishing. In the next phase, the credentials are used to steal virtual assets such as in-game money, equipment, or even the account itself. Finally, the crime is monetized by selling these in online marketplaces – for real money.

Terminology

The “theme” used for this part of the Chinese underground is “envelope” (xin feng, 信封; or xin, 信). The said term is used to describe the stolen account information. Online web applications used for phishing are described as the “box” (xiangzi, 箱子). The process of stealing any valuable virtual assets from compromised accounts is known as “envelope-washing”, with each of the parties who carry these out known as a “envelope-washing man” (xixin ren, 洗信人). The persons responsible for actually selling the stolen goods are known as “channel traders” (baoxiao shang, 包销商).

The masterminds behind the scheme are known as “Trojan writers” (muma zuozhe, 木马作者) or “Trojan agents” (muma daili, 木马代理). The graph below highlights the relationships of these various players in a typical scam:

The above graph illustrates the case of the Panda burning incense malware (熊猫烧香), which was exposed in 2007. Li served as ringleader and “Trojan writer”, with his accomplice Wang controlling a malicious server where machines infected by the virus Li wrote were directed to. This website traffic was, in turn, purchased by Zhang using a pay-per-install (PPI) scheme. Zhang installed the “Panda” malware (also supplied by Li and Wang) onto these machines, which sent the “envelopes” back to Zhang. “Envelope washing” ensued; the three leading parties ended up pocketing more than 235,000 renminbi – approximately 37,000 US dollars – between them. (Li required assistance from another member of the underground, Lei, to write the code.)

In the next post, we will discuss Internet resources and services abuse in the Chinese underground.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog