Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.
Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)
Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.
The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.
QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.
Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members. Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.
Training program offered by an underground hacker.
The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:
- DDoS services
- Black-hat training
- Malware sales
- Advanced persistent attack services
- Exploit toolkits sales
- Source-code writing services
- Website hacking services
- Spam and flooding services
- Traffic sales
- Phishing website sales
- Database hacking services
Buying Hacking Services and Malware
Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay. However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.
Steps in the hacking service transaction process:
- Negotiating price
- Making a deposit
- Demonstration (if requested)
- Beginning the hacking services
- Paying the balance
Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.
Steps in the malware purchase transaction process:
- Negotiating price
- Paying in full for malware
- Receiving product or exploit kit
The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations. They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.
Follow all our research and stories like these on Twitter at @McAfee_Labs.