Chinese Cybercrime Soars as Tools are Traded Online

The underground market for cybercrime products and services in China is booming, with both the number of participants and IM messages sent between those participants doubling last year, according to new research from Trend Micro.

The security vendor has been monitoring China’s cybercrime underground since 2011, in particular the near ubiquitous QQ messaging platform from Tencent which allows users to set up multiple chat groups of up to 2,000 contacts.

By the end of 2013, it discovered more than 1.4 million QQ Groups messages related to cybercrime and in the latter 10 months of that year, the number of messages sent and participant volume doubled from the same period in 2012.

In some months, the difference between 2012 and 2013 volumes was even greater.

In June 2013, for example, Trend Micro uncovered 109,222 messages – over 100,000 more than in the same month the previous year.

Another indicator of growing activity Trend Micro worked out is “participant per group per day” (PGD). In 2012 the figure was just 5.13, but this rose to 11.26 in 2013.

Messages per group per day (MGD) also soared – from 28.74 in 2012 to 62.56 last year, the report claimed.

The three most popular products/services in China were compromised hosts, distributed denial-of-service (DDoS) attack services, and remote access tools/Trojans (RATs).

Compromised hosts – which are typically used to distribute malware or spam, launch DDoS attacks or run complex computing tasks – were by far the most popular.

Trend Micro found these were offered on the underground market on a total of 35,112 occasions, compared to 16,471 for DDoS and 15,365 for RATs.

These aren’t the only products and services being offered, of course. The report details a wide variety starting at just $8 for 100 Windows XP bots.

China also has a burgeoning mobile cybercrime underground and Trend Micro monitored 11 related chat groups to see how far it's grown since 2012.

Although the number of messages sent by each QQ Group per day was roughly the same as that of the regular cybercrime underground and increased only slightly since 2012, the stats were different for PGD.

The report had the following:

“We determined the mobile PGD and found that it significantly increased from around 11 in 2012 to around 29 in 2013. This means that each mobile underground group in 2013 had around 29 participants per day, almost 2.5 times as many as in 2012. The mobile PGD was more than double the overall PGD in 2013 as well.”  

SMS spamming services were by far the most popular being touted on the underground market, followed by SMS servers and premium service numbers.

It should be noted that the criminal activity Trend Micro looked at in this report is very much financially motivated and as such usually remains within the Middle Kingdom, unlike the notorious state-sponsored espionage aimed at foreign targets.

What’s Hot on Infosecurity Magazine?