Look out CISOs: The Chinese cybercriminals are coming

The media narrative around Chinese cyber-attacks follows a well-worn path which will no doubt be familiar to most of you. It’s all about shadowy, government-sponsored operatives stealing foreign state secrets and sensitive IP for the geopolitical and economic benefit of Team China. Less well understood, however, is the cybercrime underground as we know it in the West – populated by financially motivated gangs in it for their own benefit.

Trend Micro has been at the forefront of research in this field and its latest report will be more than a little concerning for information security professionals in western firms. It paints a picture of a Chinese-language cyber black market rapidly expanding to include more foreign targets.

When search engines go bad

Chinese cybercriminals have always been at the forefront of innovation and the report shows that the past year has been no different. One interesting new appearance on the underground sites of the non-indexed ‘Deep Web’ is search engines for leaked data. Some, like SheYun, are free of charge and actually make money by offering a privacy protection feature for victims.

“Usually, SheYun's users want leaked data including rich info about users, such as: usernames, passwords, email addresses, phone numbers and so on. SheYun offers a full-text search for such data. Criminals can search for possible victims from SheYun to develop further attacks, including targeted attacks and massive attacks,” report author Lion Gu told me by email.

“SheYun only charges the users who want to remove records from search results of certain keywords. That costs 100 yuan [£10] per keyword. This is important: the money comes from people wanting to suppress leaked data, not those trying to access it.”

Other black-market search engines like PassBase and TuoMiMa charge users a minimal 68 yuan (£7) per year to access their “database of dumps”. The idea is that with such data, cybercriminals will be able to amass the digital identities of those whose personal information has been compromised. This could then be used to craft a convincing spear phishing email – potentially leading to rich pickings if the organisation a victim works in hasn’t put effective security measures in place. The data could also be used to send out mass email/SMS spam messages, or even to attempt identity fraud on an individual basis.

Turning outwards

The concern for western CISOs is that an increasing volume of compromised data from outside China is appearing in these underground search engine repositories.

“According to our observations, most cybercrime is driven by money. The major ‘customers’ and victims are still Chinese, so it is primarily inward facing,” Gu explained.

“But this marketplace is expanding gradually and is involving more foreign targets. For example, credit card dumps and compromised hosts from other countries are available in this marketplace. So we see these criminals expanding their focus outwards.”

CISOs and IT security managers are already at full stretch keeping customer data and sensitive IP safe from the clutches of nation state operatives and mainly Eastern European cybercriminals. But if the massed hordes of China’s cybercrime underground begin to turn their focus outwards, there’ll be even greater pressure to shore up cyber defences, which will probably require some groveling to the CFO. There are obviously challenges for the Chinese cyber crook wanting to launch financially motivated cyber-attacks on western targets – not least cultural and language barriers. But it’s not beyond the realms that they could form loose virtual alliances with native language speakers to overcome these hurdles.

CISOs around the world will be hoping that, for now at least, there are enough rich pickings inside the Middle Kingdom to keep them occupied with domestic targets.


« Quotes of the week: US inequality, human wallets, & Ballmer criticises Nadella


InfoShot: IBM Watson to kill off lawyers? »
Phil Muncaster

Phil Muncaster has been writing about technology since joining IT Week as a reporter in 2005. After leaving his post as news editor of online site V3 in 2012, Phil spent over two years covering the Asian tech scene from his base in Hong Kong. Now back in London, he always has one eye on what's happening out East.

  • twt
  • Mail


Do you think your smartphone is making you a workaholic?