2013 was a good year for cybercriminals in China, according to a new report from Trend Micro.
By all indications in the report, China’s cyber crime market was bustling in 2013. Between March 2012 and December 2013, Trend Micro monitored nearly 500 chat groups communicating via the QQ instant messaging service.
By the end of 2013, the firm had obtained 1.4 million publicly available messages from the groups it was monitoring. According to the report, the number of messages in the groups doubled in the last 10 months of 2013 compared to the same period in 2012 – a sign of serious growth in cybercrime activity.
“Based on the ID of the senders, we also believe that the number of participants has also doubled in the same period,” blogged Lion Gu, a senior threat researcher at Trend Micro.
QQ, which is developed by Tencent, is a popular way for buyers and sellers in the underground to talk. Often, the groups peddling crimeware use certain jargon to help new visitors find what they are looking for, according to the report.
“The ads for underground products and services are always shorter than those found in dedicated underground forums or websites,” the report notes. “Unlike the latter, however, the ads on QQ are more frequently updated. By determining popular words used for underground products and services, one can identify which QQ Groups would be useful to monitor then review the activities of those with the biggest number of users.”
The most sought-after products and services in the Chinese underground market are compromised hosts, DDoS attack services and remote access tools. Botnets went for a variety of prices. A botnet with 100 Windows XP bots for example cost $8; one with 100 Windows Server 2003/2008 bots cost $48.
Two of the most popular DDoS attack services offered are SYN flooding and HTTP GET flooding.
“Cybercriminals who want to launch DDoS attacks can purchase DDoS kits from the Chinese underground,” according to the report. “DDoS kits refer to tools that allow a remote user to control several systems to send a large amount of network packets to a target site. Apart from SYN and HTTP GET flooding use, DDoS kits can also be used for Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), ACK, and other kinds of flooding attacks. Compromised systems—either compromised hosts or dedicated servers—that would send the packets to targets are also available underground.”
These kits go for a variety of prices, ranging from $81 for a one-month rental to $323 for a year.
In addition, the country has an emerging mobile underground economy featuring SMS spamming services, SMS servers and premium service numbers.
“Cybercriminals are also going where the users are,” blogged Gu. “Many of the malicious goods being sold in the underground economy are targeted at mobile users, as opposed to PC users. A mobile underground economy is emerging in China (something we noted earlier this year), and this part of the underground economy appears to be more attractive and lucrative than other portions.”
“In sum, the Chinese underground market players are keeping pace with the developments in the security landscape,” the report states. “They no longer just peddle malicious wares to attack PC users but also to attack the rapidly growing mobile device market. This should serve as another reminder to all [computers] or any Internet-connected device to always be security-aware to live a threat-free digital life.”
The report can be read here.
