Investigating Chinas Online Underground Economy

Zhuge Jianwei, Gu Liang, and Duan Haixin July 2012

Abstract: Chinas online underground economy supports a variety of cybercrimes and has expanded rapidly in recent years, but its structure and economic impact is not well understood. In this paper, we describe four distinct value chains for cybercrime and provide empirical analysis of their characteristics, thus presenting the current state and emerging trends of the criminal economy on the Chinese Internet. Our estimation shows that in 2011 the overall damage caused by the Chinese online underground economy exceeded 5.36 billion RMB (852 million USD) and it involved over 90,000 participants. Activity and participation in the online underground economy is expected to continue to rise in the future unless effective countermeasures are taken by law enforcement agencies. Through correlating four high profile cybercrime cases with activity in our datasets of underground markets, we show how it is possible to monitor online underground markets to support the investigation of cybercrime cases.

Keywords: China; online underground economy; information security; cybercrime

Contents

1 2 3

INTRODUCTION ........................................................................................................................................ 4 LITERATURE REVIEW ............................................................................................................................ 7 STRUCTURAL ANALYSIS OF THE ONLINE UNDERGROUND ECONOMY .................................... 9 3.1 3.2 3.3 3.4 REAL ASSETS THEFT VALUE CHAIN ...........................................................................................................10 NETWORK VIRTUAL ASSETS THEFT VALUE CHAIN ....................................................................................13 VALUE CHAIN OF INTERNET RESOURCE AND SERVICE ABUSE....................................................................16 BLACKHAT TECHNIQUES, TOOLS, AND TRAINING VALUE CHAIN ...............................................................19

EMPIRICAL ANALYSIS OF THE ONLINE UNDERGROUND ECONOMY ...................................... 22 4.1 4.2 4.3 4.4 EMPIRICAL ANALYSIS METHODOLOGY .......................................................................................................22 STATISTICAL ANALYSIS OF THE ONLINE UNDERGROUND ECONOMY ..........................................................24 EMPIRICAL ANALYSIS OF UNDERGROUND MARKETS .................................................................................30 CORRELATION BETWEEN CYBERCRIME CASES AND UNDERGROUND MARKET ACTIVITY ...........................43

DISCUSSION AND CONCLUSION ......................................................................................................... 45

ACKNOWLEDGEMENTS ................................................................................................................................ 47 REFERENCES ................................................................................................................................................... 48 THE INSTITUTE ON GLOBAL CONFLICT AND COOPERATION (IGCC) .............................................. 53

Authors
Zhuge Jianwei is an Associate Professor at the Network and Information Security Lab (NISL), Network Research Center at Tsinghua University, China. Before he joined Tsinghua, he was an associate professor of Peking University. He received his Ph.D. in Computer Science at Peking University in 2006, under the supervision of Prof. Xuan Wang, with the IBM Ph.D. Fellowship Award, Microsoft Fellow Award, and PKU Young Investigator Award. Dr. Zhuges research interests include network security, network measurement and system security. He has led numerous research projects with research grants from National Natural Science Foundation of China (NSFC), Ministry of Science and Technology of China, Ministry of Education of China, and Ministry of Industry and Information Technology of China. Several projects finished with the highest evaluation results from the sponsors, and the resultant technology and systems have been put into the practice. He has more than 20 publications in well-known international conferences including AsiaCCS, FIRST, ICICS, IAW and WEIS, and first class journals in China including Chinese Journal of Computers, Journal of Software, and Journal on Communications. He teaches several classes for graduate and undergraduate students at Tsinghua, and has published a textbook entitled Network Hacking and Defense: Technology and Practice. Gu Liang is a threat researcher at Trend Micro, Inc, a provider of top-ranked client, server, and cloudbased security solutions that protect data in physical, virtualized, and cloud environments. His research focuses on malware analysis, mobile security, and the underground cybercriminal economy. He holds a Bachelor of Electronic Information Engineering from Tianjin University of Technology. Duan Haixin is a professor in the Network Research Center of Tsinghua University and member of CCERT and CERNET Network Center. He is currently a visiting scholar at the International Computer Science Institute affiliated with the University of California, Berkeley. Prof. Duan received his Ph.D. from Tsinghua University in Computer Science. His research interests include network intrusion detection, DNS security, and anonymous communication. Editorial support: Jon Lindsay (jrlindsay@ucsd.edu) and Lauren Reed.

Introduction

The number of Chinese Internet users ranked first in the world in 2008, and the Chinese Internet has continued to develop at an incredible speed. According to the latest China Internet Network Information Center (CNNIC) report, as of December 2011, there were 513 million Chinese Internet users, 356 million of whom access the Internet with mobile devices. The number of communication and entertainment applications on the Internet, such as instant messaging and online games, have exceeded 300 million, while ecommerce applicationsincluding online shopping, online payment and online bankingalso experienced a steady rise in subscribers, totaling over 160 million [CNNIC 2012]. However, at the same time, Chinese Internet users frequently encounter a variety of security threats. According to a Tencent QQ [QQ 2012] survey of 2000 Internet users, 45.5% of users have experienced theft of instant messaging accounts; 32% have had their game accounts hacked. False bonus phishing messages are increasing in frequency, resulting in hijacked payments or stolen online banking accounts in 5.8% and 5.6% of users, respectively. In late 2011, the massive compromise of user information from the Chinese Software Developer Network (CSDN) and Tianya websites raised wide concern in the Internet user community [CSDN Case 2012]. On March 15 2012, CCTV exposed that employees of several banks had sold customer privacy information, leading to the theft of over 3 million RBM from dozens of users online banking [CCTV 2012]. These cases have brought personal information security issues to the forefront of public attention. Behind most of these Internet security threats, there exists in the shadows an underground economy of online crime. Driven by the prospect of easy economic gain, cyber criminals use a variety of techniques to exploit the weak links of personal information protection and network security. They are organized within a complicated underground economy, which has a clear division of labor and multiple value chains. They endanger the safety of public property by seizing a large amount of illegal income. With the continuing development and growth of the online underground economy, cyber-criminals have also established a large number of hidden markets in the dark corners of the Internet. These illegal markets provide criminals with a platform for trading and communications by linking myriad components of the underground economy in cyberspace and thus providing logistical and operational support. Internet miscreants take covert actions to perform a variety of online attacks to maximize profits. However, compared to traditional crimes such as drug trafficking, the online underground economy profits by attacking Internet users, and almost all of the illegal goods, services, and theft involved relies on the Internet for transmission. The transactions and communications that occur in illegal markets also take advantage of legal Internet services and applicationsthus the Internet as a whole provides a platform for the underground economy. 4

While one might think that underground markets would be hidden, they are actually relatively open in order to attract new participants and enhance efficiency. When using the publicly accessible Internet, participants in the underground economy use idiosyncratic jargon to conceal themselves from public scrutiny. Criminal argot and culture provides a window for researchers well versed in the structure of the underground economy and its terminology to investigate it by measuring illegal markets. Still, criminals have other methods, including creating anonymous Instant Messenger (IM) and Web forum accounts, fraudulently using identity information, and concealing IP addresses, among other methods, in order to evade law enforcement. Although a global issue, the online underground economy in China is unique in many ways. This can be attributed to the difference between the Chinese language, economy, legal system, regulatory environment, and Internet culture compared to those of western countries. Therefore, the in-depth investigation of the Chinese underground economy and comparison of it with the related research from Western countries will help global collaboration to deal with cybercrime. Thus far, the Chinese underground economy has not received much attention from the research community. The existing work includes a summary analysis [Chen 2006; Du 2007] and case studies [Zhuge 2008a; Zhuge 2008b], yet a comprehensive analysis of the structure, size, and characteristics of the Chinese underground economy online is missing from the literature. This paper extends our previous research work [Zhuge 2008a] and provides the first structural and indepth investigation using empirical data to analyze the Chinese online underground economy. The major contributions of this paper include: (1) A comprehensive and in-depth structural analysis of the Chinese online underground economy, focusing on the primary value chains and implementation techniques, and identifying operational phases and participant roles. (2) The first detailed estimate of the overall damage of the online underground economy of information security and the total population victimized by these attacks. This estimate was derived from our analytical investigation, drawing upon reports from security vendors and the government. We estimate that the overall damage to the Chinese economy exceeds 5.36 billion RMB (852 million USD), and that in 2011 110.8 million Chinese users (~22%) and 1.1 million websites (20%) have been victim to some variant of the underground economy. (3) A description of the current state of the online underground economy and an analysis of trends and implications for information security in China, based upon long-term continuous measurement of the underground markets of Web forums and QQ chat applications.

(4) An evaluation of the effectiveness of monitoring underground market activities to support the investigation of cyber-crime cases through correlating public information of cybercrime cases and our monitored information of underground markets. The rest of this paper is structured as follows: section two reviews related works; section three introduces a structural analysis of the Chinese online underground economy; section four presents the methods and results of an empirical data analysis; section five closes with a discussion and conclusion.

Literature Review

The underground economy of information security is certainly not limited to Chinait is a global issue. In developed countries where online shopping and payment are popular, the underground economy is well developed, and includes credit card fraud, leakage of private information, and abuse of Internet resources. Rob Homes et al. [Thomas 2006] exposed an underground market aiming to finance fraud, constructed by Internet Relay Chat (IRC) protocol. They revealed a variety of trades and the dangers thereof, but did not systematically analyze the structure of the economy chain. Jason Franklin et al. [Franklin 2007] were the first to empirically monitor and analyze the underground economy. They monitored underground markets for seven months, carefully investigating behavior regularity, characteristics of participants, and traded goods or services. Their results helped the security community recognize network security threats driven by the underground economy. In this paper, we use the method of empirical analysis established in the field for analyzing underground markets, but we apply it to Chinese underground markets on the Internet, providing an analysis unique in terms of structure and contents. Unlike IRC, the Web forums used in the Chinese underground markets retain a long history participant activity, allowing us to monitor eight years of trading information. As a result, we can conduct a more comprehensive analysis on the evolution of underground markets as well as future trends. Holt et al. [Holt 2007] quantitatively analyzed 300 discussion threads in six web forums aimed at private information theft. They created a typology and measured the distribution of goods traded on the market as well as conducted price analysis. They also analyzed participant characteristics and their roles and relationships in the markets. Similarly, we chose to analyze certain goods trading in the markets, including banking information, online game accounts and passwords, compromised hosts, website traffic, and Trojan malware. These goods were chosen on the basis that they are representative of the main goods of four different value chains. According to our analysis of eight years of data from various Chinese underground markets, we derived the average monthly prices of important goods, and discovered that market prices vary according to supply and demand, as well as the quantity of participants. However, in [Heely 2010], the authors found that previous estimates of the size of low tier IRC markets were enormously exaggerated. The goods offered in these markets, such as stolen credit card numbers, were only used to cheat new entrants or attract businessthey were easy to acquire but hard to monetize. We saw the same phenomenon in Chinese underground markets: a lot of posts were complaints reporting that some posts or participants were deceptive. Although a mixture of pearls and fish eyes, underground markets still play an important role in information security, as they link the components from various underground value chains together. 7

More sophisticated methodologies can be found in later studies on Botnets [Stone-Gross 2009], [Li 2009], Phishing [Cova 2008], Spam [Kreibich 2009],[Kanich 2008],[Levchenko 2011], Click fraud [Daswani 2007],[Christin 2010], and malware infection by pay-per-install service [Caballero 2011], all of which provide deeper and more comprehensive investigations into specific security threats driven by the underground economy in cyberspace. In this paper we apply these methodologies to investigate the Chinese online underground economy. In addition, we also explore statistical data published by professional security companies and law enforcement departments in 2011 to investigate security threats driven by China s online underground economy. The Chinese underground economy of information security does not attract enough concern from Chinese security community and law enforcement agencies. [Chen 2006] studied the status of the Chinese online underground economy and enumerated seven value chains, including theft of private information, hacker training, and online game monetizing. However, the authors did not systematically analyze the structure of the online underground economy, nor did they monitor the online underground market empirically. CNCERT/CC published a report [Du 2007] estimating that annual trading through the Chinese underground economy exceeded 230 million RMB in 2007, although they did not publish their method of calculating the values. The authors of this paper have investigated the underground economy of theft of virtual assets on the Chinese Internet for several years. In [Zhuge 2008a], we analyzed the theft of virtual assets using an empirical methodology and offered the first structural analysis of such activity. By monitoring various underground markets on Baidu Post Bar and Taobao, we analyzed the current state, scale, and distribution of participants in these markets. Additionally, by monitoring sample websites in China, we found that 1.49% of websites monitored had been embedded with some form of malware or Trojan. Such a high rate of compromised websites reveals the seriousness of threats posed by the online underground economy. This paper is an extension of our previous research [Zhuge 2008a]. In this paper we comprehensively analyze the structure of the Chinese online underground economy and ways of monetization. With the help of a variety of security monitoring systems developed by Chinese mainstream security vendors and government security departments, we estimated in detail the scale of underground markets online and the number of users affected. Finally, using a more extensive and long-term analysis of underground markets residing on Web forums and QQ chat groups, we mapped the evolution of the Chinese online underground economy as well as its future trends.

Structural Analysis of the Online Underground Economy

Based on our investigation and analysis of the profit model and the relational structure of the online underground economy, we delineate the overall structure of the online underground economy, as depicted in Figure 1. The overall economy includes four value chains: (1) Real assets theft: stealing money from stolen bank accounts or credit cards. (2) Network virtual assets theft: stealing virtual currency or equipment from stolen online gaming accounts, and selling them for real money. (3) Internet resources and services abuse: taking advantage of hacked Internet resources, including compromised hosts, hacked servers, and infected smart phones, with the intention of abusing these Internet services for profit. (4) Blackhat (malicious hacker) techniques, tools, and training: selling Trojan and attack tools to provide technical support for cybercriminals and training services to industry newcomers (newbies). The four value chains rely on an interdependent relationship: (1) the blackhat techniques, tools, and training value chain acts as the economic base, providing a technical foundation for the other three value chains. (2) The Internet resources and services abuse value chain builds off of the techniques, tools, and training industry to provide network resources for real assets theft and network virtual assets theft. (3) It is important to note that all participants in the online underground economy can obtain profits in the real world, so they are not driven by necessity. The driver of all four industries is the tremendous illegal profits, which spurs the continuous development and expansion of the online underground economy of information security. In this section, we will conduct in-depth analysis and interpretation of the four underground value chains shown in Figure 1. We proceed with a structural analysis of the value chains, participant roles, key industry terminology, and typical case studies.

Figure 1. The Overall Structure of the Chinese Online Underground Economy 3.1 Real Assets Theft Value Chain

Real assets theft is the primary motivation in many cybercrime cases that occur in China. Cyber criminals can obtain direct profits or money because real assets and personal financial information are involved, thus seriously jeopardizing users real property. Online shopping, online payment, online banking, and other e-commerce applications are rising steadily in China. By late 2011, the number of online shopping users reached 194 million, comprising 37.8% of all Internet users. Online payment and online banking users also rose to 167 million and 166 million, respectively [CNNIC 2012]. A large user base, as well as the enormous scale of property, has attracted many cyber criminals to participate in the real assets theft value chain. 3.1.1 Figure . Structural Analysis of Real Assets Theft Industry Chain

Chinas Internet real assets theft value chain has evolved over the years; its current form is reflected in

Figure 2 The Structure of Real Assets Theft Value Chain

10

Real assets accessible on the Internet include balances of online banking accounts, credit limits, balances of online payment accounts, and stock and fund accounts, among others. As most of these accounts use passwords as credentials for online login, account and password information are the first targets of cybercriminals. The theft of account and password information constitutes the first phase of the underground value chain. On the Chinese Internet, cyber criminals generally exploit two techniques, phishing and Trojan horses, to acquire account and password information. Phishing uses both social engineering and technical means usually a fraudulent email designed to dupe the user into voluntarily loading malicious softwareto steal personal identity data and financial account credentials. Trojan horses are a kind of malicious code that steals users online banking, credit card, online payment, stock and fund, and other account information. Besides these two techniques, some criminals also used telephone fraud, bank card copying, or other means to steal account and password information and bank card encryption information. Certain offline mechanisms are often relied upon by cyber-criminals, illustrated in Figure with dotted lines. After cyber-criminals harvest the account and password information of real assets accounts, they proceed to the money-laundering phase of cybercrime. They may sell the information on the underground market, or they may organize a group to impersonate the victim in order to transfer money or manipulate stock and fund accounts to obtain the real assets. In order to evade detection by law enforcement, cybercriminals will apply for bank cards with fake or purchased ID information. Money-laundering strategies include transferring money from the victims account to the criminals account by using a fake ID, withdrawing the cash from an ATM, or performing bank or credit card fraud through point of sale (POS). 3.1.2 Criminal Roles and Slang in the Real Assets Theft Value Chain

Banking credentials are known as materials (liao, ) in the jargon of the underground value chain. The stolen information which contains bank card encryption is often referred as track material (gui dao liao, ) or simplify track (gui dao, ). A criminal who steals and sells bank encryption information is referred to as a material master (liaozhu, ) in the underground real assets theft market. The money-laundering phase is called material washing (xi liao, ), and the criminal that performs such an activity is called a material washing man (xi liao ren, ). The procedure of counterfeit card copying and ATM/POS fraud is called cargo unpacking(shua huo ), the group leader is called the car master (che zhu, ), and the person who visits the ATM (the cowboy in western slang) is called a car driver (che shou, ).

11

3.1.3

Case Study of Typical Real Assets Theft

The TopFox cybercrime case exposed by CCTV on March 15, 2009 [TopFox report 2009], also known as the Jing X, Xu Wei-X, Xu Wen-X, et al. credit card fraud and theft case [TopFox Case 2008], is a typical Internet real assets theft case driven and organized by the online underground economy. According to the criminal trial records [TopFox Case 2008], as shown in Figure 3, Xu (nicknamed TopFox) performed the role of the Trojan writer and the material master. He developed the TopFox Trojan horse program and disseminated it on the Internet, thereby stealing thousands of personal accounts and password information. Jin performed the role of the material washing person by buying the material from Xu through the underground market. He then transferred the material to another material washing person, Xu Wen-X. Xu Wen-X found a car master named Gong, who counterfeited the victims ID cards and bank cards. Gong then hired several car drivers to withdraw the balances from the stolen bank accounts. After successfully obtaining the funds, Gong paid Xu Wen-X and Jin their share of the profits. Jin also cooperated with another material washing man named Fang, who hired a blackhat nicknamed ONaNa from the underground market to remove the set payment limits on the online banking accounts, so the money could be transferred. Fang divided the profits to pay Jin for the material and ONaNa for the blackhat service. In addition, Jin decided to perform his own credit card fraud to wash the material. He used the victims credit cards to buy game cards, and then sold the game cards at a lower price than market value. This case exemplifies the nature of the interactions between criminals in the value chain of real assets theft on the Internet. In this case, none of the criminals had ever met each other face-to-face until they were arrested and taken to court. They communicated and cooperated via the Internet, where they specialized in different capacities to form a complex multi-stage crime. Collectively, their skills included a variety of money-laundering techniques, including money transfers, credit card fraud, and creating counterfeit bank cards. The gang made more than 1.4 million RMB in illegal profits, and divided the funds based on the economic and social laws of the online underground economyincluding paying commission to everyone and fees for the material and blackhat services. In order to increase benefits to all participants, the group continued to commit the cybercrime again and again. The Internet provided a perfect environment for the loosely organized cybercrime gang to thrive.

12

Figure 3 The Roles and Relationships Among the Criminals in the Topfox Case

3.2

Network Virtual Assets Theft Value Chain

Chinas video game and online entertainment industries have been booming over the past decade. Most of the popular online games or entertainment systems have introduced virtual currency, equipment, and membership to enhance the gaming experience and earn more profits. Gamers must either pay real money for virtual assets or invest a lot of time to earn them. Through online markets, these virtual assets can be sold to other players and converted into real-world money. In this sense, virtual assets have real value. Therefore, for gamers, virtual assets are a very close substitute for real assets in cyberspace. However, Chinese regulatory law to protect virtual property is still in its infancy, and is not comprehensively developed or effectively enforced. Virtual property rights are not included in the scope of existing consumer rights in the Consumer Protection Act. While in some cases judges have made rulings that consider the commercial value of virtual assets, it is still difficult to measure the exact value of virtual assets and to provide them with effective protection. Cyber-criminals are well aware of the problems with the justice system and exploit its legislative defects to make illegal profits at a lower legal risk than real assets theft.

13

3.2.1

Structural Analysis of the Network Virtual Assets Theft Value Chain

The network virtual assets theft value chain of the Chinese Internet is comprised of three phases, as shown in Figure 4. In the first phase, cyber criminals steal account and password information for online gaming accounts using phishing or Trojan methods. In the second phase, the so-called envelopewashing phase, they log in to the online system with the stolen account credentials and steal virtual assets such as virtual currency and game equipment. Alternatively, sometimes they modify the authentication password for all the accounts by replacing it with an easily remembered number or changing the settings to allow for more membership. In the last phase, cyber criminals sell the stolen virtual network assets to game players through the online market to earn real-world profits.

Figure 4 The Structure of Network Virtual Assets Theft Value Chain

3.2.2

Roles and Slang in the Network Virtual Assets Theft Value Chain

In the network virtual assets theft value chain, account and password information of a variety of online games and entertainment software is known as the envelope (xin feng, ; or xin, ) or the mailbox (youxiang, ). Online Web applications that harvest the envelope are known as the box (xiangzi, ). Those who create Trojans are known as Trojan writers (muma zuozhe, ) or Trojan agents (muma daili, ), while those who perform the envelope theft attacks are referred to as Trojan buyout man (baoma ren, ). After the packagers steal the envelope, they typically sell the envelopes in bundles to the envelope-washing man (xixin ren, ), who uses manual or automated tools to log in to the account to steal network assets from the accounts, or to get control of valuable accounts. This entire process is called envelope-washing. Stolen network virtual assets are then sold to channel traders (baoxiao shang, ) through legal sale channels, at which point the virtual assets are finally sold to gamers for real money.

14

3.2.3

Case Study of Network Virtual Assets Theft

The case of the Panda burning incense virus () in Xiantao City was the most famous cybercrime episode of 2007. It exposed the complicated underground value chain of network virtual assets theft [Panda report 2007]. The principal offender, Li, with help from his master, Lei, authored the Panda virus in October 2006. In the next few months, he disseminated the virus to infect many chickens (compromised hosts), which then connected back to a website controlled by his accomplice, Wang. Another accomplice named Zhang, whom Wang introduced to the process, bought website visitor traffic so that he could deliver the Trojans by way of the PPI (pay-per-install) model. The computers infected by the Panda virus automatically downloaded and executed the Trojans, which stole the envelopes of the online gaming software on those computers and sent them back to Zhang via emails. Zhang next sold the envelopes on the underground market at prices between 0.9 to 2.5 RMB. Those downstream from him washed the envelopes to steal the network virtual assets from the accounts. Zhang paid Li and Wang in a routine mannerLi made profits of 145,149 RMB, Wang 80,000 RMB, and Zhang 12,000 RMB. In this case, as detailed in Figure 5, Li performed the role of the Trojan writer in the underground value chain by providing the Panda virus and the detection evasion service. Lei, as Lis master of the blackhat technique, provided the virus writing technology training and support. Wang and Zhang performed the roles of Trojan agent and Trojan buyout man respectively. Zhang purchased the Panda virus and the compromised hosts resource from Li and Wang; he also bought online game-stealing Trojans from the underground market and implanted the Trojans in all of the infected computers. His goal was to steal the envelopes in order to sell them on the underground market to obtain illegal profits.

Figure 5 The Roles and Relations Between the Criminals Involved in the Panda Case

15

3.3

Value Chain of Internet Resource and Service Abuse

Todays Internet really reflects the old Chinese adage, if you have money, you can make the ghost push the millstone for you; if you havent money, then the ghost will let you push the millstone for him. As long as some online resources or services can generate economic benefit, there will be someone out to exploit those resources for their own personal gain. Even non-tradable resources and services can be abused to produce profits, such as through blackmail or extortion. 3.3.1 Structural Analysis of the Value Chain for Internet Resource and Service Abuse

Abuse of Internet resources and services has developed in a piecemeal fashion due to the absence of comprehensive governance and industry regulation. Figure 6 depicts the structure of the underground value chain, and includes both theft and abuse of resources. The most popular and important resources on the Internet include computing capacity, storage, bandwidth, IP address, network traffic, and sensitive data. On the Internet, more resources provide more power for the owner. Cyber-criminals abuse such resources and power to undermine Internet regulations that do exist for illegal economic gain. Currently, the most popular technology to control a large number of networked computers is known as a botnet, which uses a one-to-many command and control mechanism to construct a powerful army of controlled bots or zombies, as individual infected hosts are known. A botnet provides cyber criminals with a strong attack platform. On the Chinese Internet, most bots are installed through malicious email or messaging, exploiting vulnerabilities, drive-by download, and are bundled with Trojans. Another method blackhats employ to control a large number of networked computers is via hanging on software installed by users who willingly allow their computer to be used while idling in the hopes of making money. Thus, blackhats do not perform illegal network attacks, they instead engage in multi-level marketing (MLM) that pays a pittance to lure Internet users to contribute their computer and network resources to the cause of the blackhat operation. Web servers, as special computers, have high commercial value; page views and clicks by visitors are coveted by blackhats who make profit through these mechanisms. Blackhats use website hacking techniques to gain these resources illegally or purchase them from the underground black market. In addition, business servers and sensitive data therein are also objects blackhats abuse. In recent years we have seen the same variety of forms of malicious code targeting PCs now emerging for smartphone platforms. Furthermore, smartphone platforms are exposed to new and more dangerous security threats, because they often include more privacy information, directly linked to the ability to make credit card charges. Currently, the primary mechanisms for disseminating malicious code for smartphones

16

include malicious bundled applications, email, and text messages. Once blackhats steal or obtain Internet resources, they sell them on the underground market. Malicious attackers buy resources to attack Internet users or services to gain economic benefit. In the hosts controlled by a botnet, malicious attackers can further implant a variety of phishing tools such as online banking Trojans to perform real assets theft. Additionally, they can implant phishing tools or gaming Trojans to steal network virtual assets. The stolen computing and network resources can also be used to launch spamming, DDoS attacks and extortion, click fraud, rank and vote cheating services, theft of privacy information, and other various illegal or manipulative activities. For the computers with hanging on software, blackhats have equal control of them as they do using botnet; thus the host computers also face all the aforementioned risks. Yet in general, to ensure that MLM mechanisms continue to have credibility among the proxy users and be viable resources for future attacks, the operators of the hanging on software are unlikely to attack these computers directly. Therefore, the profit model is typically limited to providing spamming services, launching DDoS attacks and extortion, performing click fraud, and providing rank and vote cheating services. Still because it is difficult to establish professional ethics in illegal markets, in many cases blackhats will still implant malicious Trojans into these hanging on hosts in order to steal real assets, virtual assets, or privacy information. In the smartphone field, profit models that steal and abuse infected smartphones resources are developing rapidly, and include: charging, SMS and MMS spamming, click fraud, PPI fraud, rank/credit/vote cheating service, and theft of privacy information.

17

Figure 6 The Structure of Internet Resource and Service Abuse Value Chain

3.3.2

Roles and Slang in the Internet Resources and Service Abuse Value Chain

In the resource theft phase of the Internet resources and services abuse value chain shown in Figure 6, participants must master a certain number of blackhat techniques and tools to launch attacks. These participants are called hackers (heike, ), i.e., crackers or blackhats. They are the major source of network attacks driven by economic profits. The participants in the abuse phase do not need to master any blackhat techniques, because they are generally provided with easy-to-use tools. On the other hand, participants can directly obtain real-world profits through various underground profit channels. Therefore, this phase of the value chain attracts a large number of network criminals. 3.3.3 Case Study of Internet Resource and Service Abuse

The Swordsman DDoS case [Swordsman Case 2009] was tried in the court of Huqiu District, Suzhou City, Jiangsu Province in November 2009 and is a typical case of Internet resources and services abuse. According to the court trial records: From March 27 to March 31, 2009, defendant Hu and Li used swordsman stress test software to control a large number of online chicken machines, and then

18

launched DDoS attack against the online game server located at an Internet data center (IDC) in Longjiang, Nanjing. This attack led to heavy congestion at the IDC and crashed several game servers. The defendants then used the incident as blackmail to extort 500 million silver units of the companys game currency. Finally the company complied, and the defendants sold the virtual currency for 18,750 RMB. The court found the defendants guilty of destruction of computer information systems. Hu was sentenced to two years and six months in prison. Li received two years and four months. The swordsman stress test () DDoS attack software used in the attack had been available on the underground market for a long time. The authors had set up a dedicated post bar named jkddos and a website with the domain name www.jkddos.com to promote their products. The online ad posted on December 29, 2008 explained: the software writers not only sold the attack software at a cheap price of 788 RMB per license, but they also gifted 500 compromised hosts to the cause. They would also perform the DDoS attacks on a website of the customers choosing. The defendants bought the attack software and numerous chicken resources through the underground market, and then used the chickens to perform DDoS attacks. After that, they extorted the victim for virtual assets and finally for real profit from the underground markets [Swordsman Report 2009]. This is a typical case that reflects the structure and roles of participants of Internet resources and services abuse value chain as shown in Figure 6.

3.4

Blackhat Techniques, Tools, and Training Value Chain

Blackhat techniques have a profound impact on the formation and development of the online underground economy of information security because they penetrate all aspects of the underground value chains. Blackhat techniques provide the engine for the operation of the online underground economy. 3.4.1 Structural Analysis of Blackhat Techniques, Tools, and Training Value Chain

The blackhat community provides their expertise in two different forms to the online underground economy: products and services. As shown in Figure , the blackhats discover software vulnerabilities, write a variety of malware or attack tools, and then sell the vulnerabilities or malicious programs to cybercriminals in the other three value chains of the online underground economy. Without these products lowtech cyber-criminals have no capacity to engage in cybercrime activities. In terms of services, the blackhats will also accept temporary employment to launch attacks assigned by the employer. In addition, some blackhats provide paid training services to new entrants (newbies) or will train them for free in exchange for free labor. In this way, the blackhat community supplies fresh blood for the online underground economy.

19

Figure 7 The Structure of Blackhat Techniques, Tools, and Training Value Chain

3.4.2

Roles and Slang of the Blackhat Techniques, Tools and Training Value Chain

In the jargon of the online underground economy, blackhat activities are known as hackers jobs (heike renwu, ). While the blackhats that accept the tasks are typically called hackers (heike, ), in reality they should be called crackers since they use their expertise for illegal purposes. Blackhat training services are often advertised as Seeking an apprentice (shoutu, ), and if the newbies want to learn blackhat techniques, they publish an ad that says, seeking for master (baishi, ). Horse (ma, ) is short for Trojan Horse (muma, ), and usually refers to a Trojan virus that steals account login credentials for online banking, payment, gaming, and other websites. The blackhats who write Trojan horses are dubbed Trojan Writers (muma zuozhe, ). In addition to Trojan products, hackers also provide detection evasion (miansha, ) services for their Trojan products to ensure that the Trojans cannot be detected or disabled by anti-virus (AV) software. 0day or zero-day refers to an attack using a newly discovered software vulnerability for which the vendor has yet to release a corresponding security patch. These attacks usually occur without public disclosure and are only known by the discoverer and a small number of his customers. Because of its power to exploit targets, 0day vulnerabilities and exploits become very valuable attack resources in the online underground economy. 3.4.3 Case Study of Blackhat Techniques, Tools and Training

The case of the blandness (wenrou, ) Trojan gang [Blandness Report 2009] is a typical case where blackhat techniques and tools were provided to the online underground economy. In this case, hundreds of people across 16 provinces were involved. The amount of related illegal income seized by the police exceeded 30 million RMB, and allegedly accounted for more than 50 percent of the Trojan blackhat market share at the time.

20

The two hackers, defendants Lu and Zeng, lived in Shenzhen, Guangdong at the time. During the trial it was made known that from June 2007 to August 2008, they wrote Trojans for over 40 popular online games to steal login credentials of gamers accounts. Zeng was seeking a partner or buyer, and in February 2008, the defendant Yan accepted Zengs offer. Yan named the Trojans the blandness horse ( ) series, named after his girlfriends nickname blandness. Yan, a sales agent, asked Lu to modify the Trojans to adapt to different online games. Yan subcontracted to another sales agent, Zhang XX through the blackhat market, and charged them according to the service time. Before their arrest, Lu and Zeng developed 28 models of the bland Trojan for different online games, stealing more than 5.3 million login credentials. Lu and Zeng made 645 thousand RMB in profits, while Yan made 310 thousand RMB. Lu, Zeng, Yan and 11 other defendants were found guilty of providing tools of intrusion into computer information systems and illegal access to computer information systems. They were sentenced to three years in prison and six months of probation.

21

Empirical Analysis of the Online Underground Economy

Having described the structure of the online underground economy, we now turn to the task of empirically measuring its characteristics and dynamics.

4.1

Empirical Analysis Methodology

To perform a more in-depth investigation of the current state and trends of the Chinese underground online economy, we collected and analyzed information from a variety of sources. Our methodology includes estimating the overall damage of the online underground economy, the number of threatened people, and the distribution of participants and businesses in the online underground economy. We also confirmed that monitored data from the online underground economy can be used to prevent cybercrime and provide evidence for cybercrime cases. We used the following data sources to support our investigation of the current state and trends of the online underground economy: (1) Security threat monitoring reports and statistical information published by the leading Chinese security vendors and national security regulatory departments. We collected the annual security reports for 2011 and other special reports on related subjects published by Antiy Lab, Kingsoft, Qihoo 360, Rising, Tencent QQ, NetQin and Knownsec. The statistical information on different types of security threats were published by the Anti-Phishing Alliance of China (APAC), the National Computer Network Emergency Response Technical Team Coordination Centre (CNCERT/CC) and other national network security regulatory departments. (2) Records from the court cases and media reports of certain cybercrime cases driven by the online underground economy. We used a subscription database of legal cases to obtain the official case records and found media coverage of the cases for supplemental information. (3) Advertisements and messages from the Chinese Internet underground markets. After conducting basic research to gain an in-depth understanding of the online underground economy, we were able to locate the majority of underground black markets on the Chinese Internet. By tapping into these platforms we were able to continuously monitoring the advertisements and messages within the underground markets. Among these three data sources, the first two are searchable and accessible through open channels, while data from the underground black markets are not accessible, because they are located in the hidden channels of clandestine criminal information publishing and communication. In major western countries, the online underground economy typically uses Internet Relay Chat (IRC) protocols to build black market advertising and communication channels. However, due to the uniqueness of the usage behavior of Chi22

nese Internet users, the Chinese online underground economy employs different channels for advertising and communication, such as Web forums and QQ chatting groups. In the online underground economy, there are different social roles and value chains, and participants always hope that their own published supply and demand information will be visible to other participants, enabling a deal to be made on favorable terms for more substantial returns. Thus, Internet miscreants often choose simple and convenient ways to build the underground market, relying on jargon to increase concealment on a best effort basis. On the Chinese Internet, the underground markets are built mainly in two types, iweb forums and QQ chatting groups. Baidu Post Bar has been claimed to be the largest Chinese web forum on the Internet. It provides a keyword-based forum organization, as well as a loose and convenient login and post mechanism. As a result it has attracted a large number of participants to the online underground economy. Certain slang terms are used as keywords to build underground black markets, such as material (liao, ) post bar. Normal Internet users who are not aware of the terminology of the online underground economy will not access this hidden post bar simply due to their ignorance. Even if someone accidentally enters, he/she would not understand the meaning of the advertisement or message in the black market. In our research we deciphered the meaning of the vast majority of terms, and through exhaustive slang keyword searches we have been monitoring many underground markets built on the Baidu Post Bar. In searching a total of 84 terms from the four industrial chains explained previously (alongside the terms for targets: e.g. online games and online banking), we discovered 129 post bars dedicated to the underground market. We also found 23 post bars with the most common terms of the industry banned by Baidu operators. Since Baidu Post Bar is a public web forum, it retains historical entries for all post records. Not only did we use the search engine to continuously monitor and copy the posts in the underground black markets, we were able to retrieve historical records and add them to the database for further statistical analysis. A greater number of underground black markets are built on Tencent QQ chatting groups than Baidu, and are popularized by either posting advertisements in the web forum-based black markets or by attracting participants by including slang keywords along with the name and description of the group when a search is performed. Participants can search and apply to join the groups, and the group operators verify their applications to determine whether applicants are in the underground community; based on this they decide whether to accept you. Because we have deciphered the jargon, we can thus use jargon keywords to search the groups for black markets, taking advantage of the searching function provided by Tencent QQ software. We searched for a total of 84 jargon keywords, and we discovered 2,738 QQ chat groups dedicated to underground markets. Due to workload and time constraints, we only selectively joined the 130 largest groups (others were too small), and continuously monitored them from March to May 2012.

23

After monitoring and retrieving the underground market information, we wrote two programs to parse the data and insert them into a MySQL database, for Baidu Post Bar and Tencent QQ chat groups, respectively. To gather information on the IP range information of anonymous users engaged in the markets on Baidu Post Bar, we used the ChunZhen ip2location database to query the province, city and specific address of the IPrange. We also wrote a number of stored procedures to eliminate repeated messages, tag goods and behavior types, and so on. We then performed a detailed analysis of the size and trends of the underground markets, the number and distribution of participants, as well as the distribution of business types, in order to gain a better understanding of the online underground economy. Based on the information we collected, we present the results of our empirical data analysis in the following sections. In Section 4.2, we estimate the overall damage done by the online underground economy and the threat it poses to the population based on the statistical data published by the mainstream security vendors and national regulatory departments. In Section 4.3, we present the results of our empirical data analysis, highlighting the characteristics and trends of the Chinese online underground economy. Finally, in Section 4.4, we correlate the published information on typical cybercrime cases and the data collected directly from the underground market dataset. Through this analysis we show how the measurement of underground markets can support cybercrime investigations.

4.2

Statistical Analysis of the Online Underground Economy

Based on the former structural analysis of the Chinese online underground economy, we conducted statistical analysis of the four different underground value chains, and estimated the overall damage of these industries and the threat they pose to the Chinese population. The results are summarized in Table 1 and discussed further below.

24

Table 1 An Incomplete Estimate on the Overall Damage from the Online Underground Economy in China (2011) Value chain Major Profit Approach Threatened Population (millions) 38.8 Population Damaged (millions) .06 .48 Estimated Damage (USD million) 67 262

Real Assets Theft

Online banking theft and fraud 3rd payment theft and fraud

Virtual Assets Theft Resources and Services Abuse

38.4 3.84 225 8.9 8.9 71 24.711 49.42 (incidents) 157 1.1 (websites) 2.1 (incidents) 70 Total 110.8 (people) 852 1.1 (websites) 1 The security reports only provide monthly statistical data; for biedermeier estimates, we cut the accumulative figure 50% off for the annual figure

game virtual assets theft Compromised hosts abuse Infected mobile phone abuse Hacked website abuse

4.2.1

Statistical Analysis of Real Assets Theft Value Chain

The real assets theft value chain has created common threats to Internet users. According to the 2011 CNNIC report, 8 percent of Chinese Internet users encountered online shopping fraud or theft (i.e., 1 in every 12 Internet users in China). This provides an estimated threatened population size of 38.8 million [CNNIC 2011]. The security threats to online shopping and payment includes phishing, online fraud, and account theft. A report published by the online payment websites Qihoo 360 and YeePay [360 2012a] shows that these three threats constitute 89 percent, 8 percent and 3 percent, respectively, of all the damage to YeePays users. Phishing clearly presents a much larger threat than either online shopping fraud or theft, at almost 90 percent of all threats to YeePays users. According to the 2011 annual report published by the Anti-Phishing Alliance of China (APAC) [APAC 2011], APAC eradicated 40,219 phishing sites in 2011. We performed statistical analysis based on the data in APACs monthly reports; Figure 8 shows the distribution of target industries for phishing sites. Third-party payment and banking/stock-market ranked the highest, accounting for over 90 percent of all the target industries. The top ten companies targeted by phishing sites are listed in Table 2. Taobao occupies the top position, and accounts for 66.81 percent of all fishing sites targets, which is consistent with its dominance in the online shopping market. In addition, due to the well-known Special 6+1 Lottery, CCTV has become a frequent target of the bait phishing sites. In early 2011 and during the Spring Festival, CCTV was the second largest target at 13.56 percent. In the banking and stock industry, ICBC was the largest target at 4.69 percent. Similar to Taobao in the third party payment industry, ICBC is probably a target because it has the largest market of online banking.

25

Figure 8 Distribution of Target Industry Phishing Sites Eradicated by APAC in 2011

The annual reports of Chinese leading endpoint security vendors also show the overwhelming phishing threat as compared to other threats from the Internet users point of view. Qihoo 360 intercepted over 500,000 phishing sites (domain count) in 2011, an increase of 259% in intercepted sites from 2010 [360 2012b]. Rising Anti-Virus Software intercepted about 4.8 million phishing pages (URL count), which was a 174% increase compared to the number of pages intercepted in 2010 [Rising 2012]. Comparing the number of phishing sites intercepted by endpoint security vendors (over 500,000) with the number of phishing sites eradicated by APAC (approximately 40,000), we find that only a small proportion of phishing sites have been effectively eradicated, mainly because of the short lifespan of phishing sites (they typically use foreign domains and server-hosting, leading to high costs and other difficulties, causing a short lifespan). From January to November 2011, Qihoo 360 monitored phishing websites specifically targeting the online shopping and payment industry, intercepting a total of 253,188 phishing sites as well as 573 million visits to the sites. These sites accounted for over half of all phishing sites intercepted by Qihoo 360 during that time period [360 2012a].
Table 2. APACs 2011 Top Ten Companies Targeted by Phishing Sites Rank 1 2 3 4 5 6 7 8 9 10 Targeted Company Taobao CCTV Tencent ICBC BOC Net Ease Sina China Merchants Bank Yahoo ShengDa Other Number of Phishing Sites 26871 5455 2816 1887 626 251 248 177 154 152 1583 Percentage 66.81% 13.56% 7.00% 4.69% 1.56% 0.62% 0.62% 0.44% 0.38% 0.38% 3.94%

26

As ICBC is the largest bank in China with more than 100 million online banking customers, we use the damage from theft of ICBC online banking accounts to estimate the overall damage of the online banking theft value chain. As of late December 2006, nearly 500 victims were registered, using authentic names, at the website for ICBC online banking victim compensation. They announced losses of up to 3.5 million RMB, with an average per capita loss of nearly 7,000 RMB [ICBC victim 2006]. In late 2006, the number of ICBC online banking customers was 23.25 million [ICBC data 2007] and we estimate that about 10 percent of the victims who suffered from account theft or fraud registered at the victim compensation website; thus there were nearly 5,000 customers who encountered online banking theft. This accounts for about 2.1 ten thousandths of ICBCs online banking customers, with total losses estimated at 35 million RMB. As of late March 2011, the number of ICBC online banking customers increased to 102 million [ICBC data 2011]. Thus, if the threat versus defense level of 2006 remains unchanged, then the estimate overall damage of the real assets theft value chain in 2011 involving ICBC alone reached 153 million. Considering ICBC has 36.4 percent of Chinas online banking market share [iResearch 2011], we can extrapolate the damage of real asset theft to ICBCs customers to the total population of online banking usersa total loss of 420 million RMB (67 million USD) that affects approximately 60,000 victims. This is just a conservative estimate, as the Ministry of Public Security (MPS) uncovered more than 24,000 cases of real assets theft in 2011 during a special mission to combat bank card crime. This crime-fighting mission purportedly prevented economic losses of over 400 million RMB [gov.cn 2011]; based on this information we can deduce that the online banking theft and fraud value chain could potentially have caused the loss of several hundred million to 1 billion RMB. In addition to online banking accounts being at-risk of theft, third-party payment accounts may also be subject to the threat of real assets theft. YeePay received 169 user complaints on account theft from January to October 2011 [360 2012a]. YeePay has about 42 million registered users with a daily turnover exceeding 200 million [Payment Market 2012a]. Assuming that the user complaint rate is 10 percent, the number of users that encountered account theft in 2011 can be estimated to be about 2,000 users. This constitutes 4.8 ten-thousandths of users, which is consistent with industry survey data. As of December 2011, third-party payment accounts exceeded 1 billion [Payment Market 2012b]. Estimates show that account theft has occurred with more than 480,000 accounts. In addition, according to Kingsofts security report on online shopping, the average loss per victim is 3,437 RMB (approximately 500 USD) [Kingsoft 2011]. Based on these estimates, we deduce that third-party payment account theft in 2011 caused direct economic losses of about 1.65 billion RMB (262 million USD), and accounts for 7.6 ten-thousandths of the total market of third-party payments, totaling 2.16 trillion RMB [Yiguan 2011].

27

4.2.2

Statistical Analysis of Network Virtual Assets Theft Value Chain

Online games are one of the most popular applications on the Chinese Internet. In late 2011, the number of PC online game users (the largest user base) reached 120 million, while the market size grew to 44.6 billion [Online Game 2011]. Tencent, Netease, and SNDA, the three most popular companies, have a market share of 35.4%, 13.9%, and 11%, respectively [iResearch 2011b]. Almost all of the major vendors introduce virtual currency to their online games, sell the currency to gamers for real currency, and allow gamers to obtain virtual currency while playing the game. Gamers can use virtual currency to pay for games or buy game props and equipment; vendors typically support virtual currency and equipment transactions between players within the game. The ability to purchase online games and equipment creates a real value for virtual currency. Chinese law, however, is not defined clearly enough to protect virtual assets as it protects real assets, making virtual assets an easy target for fraud and assets theft. The three major security threats present in the online game industry are phishing scams, stealing Trojans, and general deception through social engineering attacks. In 2011 they accounted for 53%, 38%, and 9% of all security threats to the online game industry, respectively [360 2011]. In the first half of 2011, Qihoo 360 detected over 30,000 phishing websites targeting online games that went beyond the traditional thieving Trojans, making them the most dangerous of all the threats to online gaming security. APACs 2011 report cites that Tencent, Netease, and SNDA are the main targets of phishing websites, accounting for 7%, 0.62%, and 0.62% of all targets, respectively [APAC 2011]. Qihoo 360 monitored about 79 million thieving Trojans targeting online games, which was a decrease of 19.8 percent compared to the same period last year. The decline of the traditional Trojan theft threat is notable, leaving room for speculation regarding up and coming threats. A survey conducted by Tencent QQ polling 2,000 Internet users revealed that 32 percent of those polled encountered online game account theft during the second half of 2011 [QQ 2012]. If we conservatively estimate that 10% of those polled actually suffered economic losses due to account theft, average losses are assumed relative to the average annual cost on the online games, 371 RMB (about 57 USD) [iResearch 2011b]. We estimate that 3.84 million players suffered losses in 2011, causing direct economic losses of 1.42 billion RMB (225 million USD). This constitutes 3.18 percent of 2011s online game market share. 4.2.3 Statistical Analysis of Internet Resources and Services Abuse Value Chain

The profit models in the Internet resources and services abuse value chain are even more diverse, rendering it more difficult to estimate the overall market damage quantitatively. Thus, in our analysis we only consider the three most important resource types: compromised hosts, infected smart phones, and hacked website servers.

28

According to CNCERT/CCs 2011 annual report [CNCERT/CC 2012], during the course of the year CNCERT/CC monitored nearly 8.9 million compromised hosts controlled by botnet or Trojans. Assuming that each compromised host can bring losses of at least 50 RMB via various profit models (including spam, click fraud, PPI fraud, DDoS and blackmail, various types of online service abuse behavior, stealing private information, etc.), a conservative estimate of the total contribution of compromised hosts to the online underground economy amounts to 445 million RMB. According to the monitoring of leading Chinese mobile phone security vendors, including Kingsoft [Kingsoft 2012], Qihoo 360 [360 2012b], and NetQin [NetQin 2012], throughout 2011 smart phones were infected 49.42 million times. Assuming each time the infected mobile phone can bring losses of at least 20 RMB (via malicious charging, PPI fraud, sending SMS/MMS, stealing private information, etc.), a conservative estimate of the total contribution of malicious code on smart phones to the online underground economy is 990 million RMB. Also in 2011, KnownSec monitored more than 5.5 million Chinese websites, and found 57,000 drive-bydownload attacks, and 2.059 million hidden-link attacks (these are cumulative sums of KnownSecs monthly figures) [KnownSec 2012]. Assuming that each drive-by-download attack can bring losses of 500 RMB, and each hidden-link attack brings losses of 200 RMB through Blackhat search engine optimization (SEO), we estimate that hacked website resource abuse contributes profits of 440 million RMB to the online underground economy. Thus, using only the three most important resource types in our estimate, the picture is still incomplete in terms of the total market damage. Still, it is useful to note that in 2011 the overall market damage brought by the Internet resources and services abuse value chain reached 1,875 million RMB (298 million USD). 4.2.4 Statistical Analysis of the Blackhat Techniques, Tools, and Training Value chain

The blackhat techniques, tools, and training value chain does not directly bring market damage to Internet users. However, it is the foundation of the other three underground value chains, as it provides techniques, tools, and services which they require in order to profit, and receives interest in return from the downstream chains. Due to the secret nature of the blackhat business (for example, the 0day vulnerabilities are probably sold at a very high price yet are transacted in a highly secret marketplace with high security), we are not aware of any methodology to measure the estimated damage presented by this value chain. We also lack the necessary data sources to perform a quantitative estimate, even through wild guesses. 4.2.5 Summarized Statistical Analysis of the Online Underground Economy

Utilizing the aforementioned conservative estimates, we believe that the current overall damage to the Chinese online underground economy of information security exceeds 5.36 billion RMB (852 million USD). Even when taking into account the full range of protections security vendors provide to Internet 29

users, the online underground economy still threatens more than 110.8 million Internet users today, which accounts for 21.6% of the total 513 million Chinese Internet users [CNNIC 2012]. In addition, the online underground economy jeopardizes 1.1 million websites, which constitute 20% of all monitored Chinese websites [Knownsec 2012]. Taking into account the upstream phases of the three estimated chains, feedback to the blackhat techniques, tools and training value chain, as well as the profit chain of service fraud that employs a large number of participants, we estimate that the overall market size of the Chinese online underground economy of information security is greater than ten billion RMBequivalent to a years revenue of one of the largest Internet companies in China, such as Baidu and the Alibaba Group.

4.3 Empirical Analysis of Underground Markets

4.3.1 Measurement Datasets of the Underground Markets

As of March 15, 2012, we trawled nearly 1.1 million posts from the 129 post bars dedicated to underground markets on Baidu Post Bar. Each post record includes the posting time, title, content, thread id, sequence in a thread, authors nickname, authors member id (for registered users), and authors C-class IP range (for anonymous users). After removing duplicate posts with identical titles and content, we built a dataset from 2004 to 2011 containing 753,806 posts and 255,544 threads for further empirical analysis. For the underground markets built upon Tencent QQ chat groups, we used a dataset from March to May 2012 of 130 QQ chat groups dedicated to underground markets. We adopted a simple strategy for thread identification: within one QQ chat group, messages sent within intervals of less than five minutes were considered to belong to a single thread; messages sent after an interval of more than five minutes were labeled as the first message of a new thread. We also removed duplicate messages that had identical content sent from the same senders QQ number that were from the same thread. After processing the QQ messages in this manner we obtained a dataset of 76,516 messages in 23,720 threads. Each record includes the timestamp, content, senders nickname, senders QQ number, thread id, and the sequence of the thread. 4.3.2 Market Behavior Analysis

During the measurement period from 2004 to 2011, we monitored 753,805 posts belonging to 255,544 threads in the underground markets built upon the Baidu Post Bar. Each thread has an average of nearly three posts after removing duplicates, and about 248,970 nicknames or IP C-class ranges participate in the markets. Figure 9 illustrates the annual statistics of the posts, threads, and participants; it reflects the development and trends of the Chinese online underground economy online. From 2004 to 2005, the online under-

30

ground economy was still in its infant stages of development both in terms of size of the community and number of posts. However, from 2006 to 2008 the online underground economy expanded rapidly, with an annual average post growth rate reaching 184%. The peak rate of post growth was 352% in 2007. In February 2009, the China National Peoples Congress approved a criminal law amendment to combat cybercrime, while the police also successfully uncovered a number of cybercrime cases driven by the online underground economy. We believe these actions had the effect of providing some deterrent to the online underground economy based on the retreat of posts. The effects of criminal law and police work on the underground market are depicted in Figure 9. Because the online underground economy plateaued from 2008 to 2009, 2009 growth is not obviousin fact, the number of threads decreased for the first time. From 2010 to 2011, however, the countermeasures against cybercrime by law enforcement agencies became less effective, and thus the online underground economy once again experienced rapid growth. In 2011, the number of participants involved in the underground markets reached 90,000, and the number of posts exceeded 320,000. This figure is almost double that of 2010, and includes the highest figures in the dataset. If there continues to be no effective and long-term countermeasures, we expect the Chinese online underground economy of information security to sustain its rapid growth.

Figure 9 Annual Posts, Threads, and Participants in Underground Markets

By observing monthly statistics of the posts and threads as shown in Figure 10, a clear annual cycle emerges: January and February exhibit low activity, which we infer to mean that participants in the online underground economy also observe (or are less active during) the Chinese New Year holiday. The peak period of activity spans from June to August and coincides with the education systems summer holiday. From this we infer that many Chinese students engage in online gaming and online shopping during the

31

summer holiday, promoting Internet industries and, as a byproduct, also stimulating the online underground economy. In the Tencent QQ chat groups, we monitored 76,516 messages from 23,720 threads sent by 7,996 QQ id numbers in 130 QQ chat groups from March to May 2012.
60000 50000 40000 30000 20000 10000 0

May/07

May/04

May/05

May/06

May/08

May/09

May/10

May/11

Jan/04

Jan/05

Jan/06

Jan/07

Jan/08

Jan/09

Jan/10

Sep/04

Sep/05

Sep/06

Sep/07

Sep/08

Sep/09

Sep/10

Jan/11

post

thread

Figure 10 Posts and Threads from Baidu Post Bar Underground Markets, by Month

Figure 1 shows the daily statistics of the number of QQ messages, threads and QQ id numbers we monitored. We find that QQ messages peak on the weekends, and threads and accounts have consistent and similar trends, reaching nearly 800 on March 16 and March 30 (both dates fall on the weekend).
6000 5000 4000 3000 2000 1000 0 3/1/12 3/8/12 4/5/12 3/15/12 3/22/12 3/29/12 4/12/12 4/19/12 4/26/12 5/3/12 5/17/12 5/24/12 5/31/12

message

thread

users

Figure 1 Daily Messages, Threads, and User Accounts of Tencent QQ Underground Markets

32

5/10/12

Sep/11

4.3.3

Market Participation Analysis

Participation and Trend Analysis As shown in Figure 2, the Baidu Post Bar underground community also has a similar annual cycle and a growth trend, with an average annual growth rate of 144.74% and a maximum growth rate of 495% in 2006. Even when 2009 experienced a reduced number of threads, the community grew at a rate of 47.7%. The trend reflects the holding power of the online underground economy, in that participants are continually motivated by the potential for high profits and so are incentivized to participate on a long-term basis. Thus any short-term law enforcement campaign will only deter participants from crime temporarily. During these campaigns participants still maintain communication and relationships, so that when law enforcement agencies relax enforcement after a given campaign, participants will return to cybercrime activities.
16000 14000 12000 10000 8000 6000 4000 2000 0 May/07

Nov/04

Mar/08

Aug/08

Dec/06

Jan/09

Jan/04

Nov/09

registered participant

anonymous participant

Figure 2 Baidu Post Bar Underground Community Participation, by Month

Figure 3 Types of Participants in Baidu Post Bar Underground Markets, by Month

33

Dec/11

Jun/04

Oct/07

Jun/09

Jul/06

Sep/05

Feb/06

Sep/10

Feb/11

Apr/05

Apr/10

Jul/11

By tracking the entry of each participant into the underground markets, we find interesting trends among participation type. New participants of any given month refers to participants whose first appearance lands anywhere in that month, leaving all others as old participants. Figure 13 shows that most participants are new to the Baidu Post Bar markets, especially during the huge growth period from 2010-2011. This rapid increase of new participants reflects the still infant stages of the online underground economy in China. It is also notable that in 2010 Baidu post bar changed its policy to forbid posting without a valid registered user account, causing a reduction in the number of anonymous participants. Old registered participants trend steadily upward after 2010, reaching 13,857 in 2011. These participants constitute the backbone of the underground markets and its illicit activity. Participant Contact Information In the underground markets, participants commonly use Tencent QQ as their main contact information. They often include their QQ numbers in the title, content, or nickname of the posts, asking interested parties to contact them through QQ. By parsing these out with regular expressions, we measured 420,230 posts in a dataset of 753,806 posts containing QQ numbers, accounting for 55.8% of all posts. 138,660 topic posts (the first post of a thread) contain QQ numbers, which represents 56.7% of all topic posts. Lastly, 151,903 participants released 144,964 distinct QQ numbers, which means 67.6% of participants have advertised a QQ number in underground markets. This statistical data evinces our intuition regarding Tencent QQ as the contact method of choice for further communication between participants. Geographical Distribution of Participants Using the C-class IP range information recorded in every post by anonymous participants, we queried the ChunZhen ip2location library to query the provinces, cities, and the specific address against the IP ranges, generating a geographical distribution of participants. Although some participants may use a proxy server or Virtual Protected Network (VPN) to conceal their real Internet IP, and some location information from the library may be not accurate, we find it valuable to record the approximate geographical distribution of the IP ranges involved in the underground markets. Our monitoring detected that only 2.79% of anonymous participants used foreign IP ranges to conceal themselves from tracing, thus we believe that before Chinese law enforcement authorities began closely monitoring the underground markets, the majority of anonymous participants simply used their real IP address to post, without any proxy or VPN. After 2009, when the law required participants to become registered members to post on Baidu Post Bar, this system of tracking IP ranges is not tenable, ironically enough, as we cannot obtain IP addresses and geographical locations from registered members. Figure 14 shows the geographical distribution of the 86,337 distinct C-class IP ranges used by anonymous participants in the underground markets on Baidu Post Bar, by province. The top 10 provinces with the 34

largest population of online underground economy participants are Guangdong, Shandong, Jiangsu, Zhejiang, Henan, Hebei, Beijing, Fujian, Liaoning, and Hubei. The top ten provinces are all either coastal provinces with prevalent Internet access and large economies or slightly less economically developed central provinces with large populations. Anonymous participants also use 2,410 IP ranges located outside of China (including foreign countries, Taiwan, Hong Kong, and Macao) , accounting for 2.79%. We believe the majority of these IP ranges are accessed via proxy or VPN to evade law enforcement agencies. We also found some participants in the underground markets who claimed that they were based outside of China, so had nothing to fear when launching cybercrime activities.

Figure 14 Geographical Distribution of Anonymous Participants in Underground Markets, by Province

Participant Behavioral Analysis We performed further statistical clustering according to identification information in our datasets, including nickname, IP range, and QQ number. Our goal was to analyze participants behavior, including characteristics such as initial presence, latest presence, duration of active lifetime, number of posts/messages, number of involved threads, number of involved post bars/QQ chat groups. With this data we conducted behavioral analysis of different types of participants in different underground markets in order to map various characteristics of the online underground economy.

35

Figure 15 (a) CDF of active lifetime, by participants (top left) (b) CDF of the number of post bars/QQ chat groups, by participants (top right) (c) CDF of the number of posts/messages, by participants (bottom left) (d) CDF of the number of threads, by participants (bottom right)

Figure 15(a) shows the cumulative distribution function (CDF) curves of different participants active lifetimes. We find that more than 50% of participants on Baidu Post Bar have an active lifetime of less than 0.01 hours and 50.8% of all participants posted a single message, giving them an active lifetime of zero. 80% of participants have an active lifetime of less than 100 hours (4.2 days), which we categorize as a short active lifetime. On the other side of the spectrum are nearly 15% of the participants who have an active lifetime of over 1000 hours (41.7 days), which we define as a long active lifetime. This last group of participants has accumulated many trading relationships and reputations through their long-term activities; as such they constitute the backbone of the underground markets. The active lifetimes of registered 36

participants and anonymous participants using Baidu Post Bar also vary widely. Nearly 30% of anonymous participants have a long active lifetime of over 1000 hours, while only 10% of registered participants have an active lifetime that long. We hypothesize that this may be a result of frequent nickname changes by registered participants, because they can easily change account names to avoid being tracked by the authorities, whereas anonymous participants cannot change their Internet IP addresses easily, and would not be able to take advantage of this strategy. In the month-long dataset from QQ chat groups, nearly 40% of participants have a short active lifetime of less than 0.01 hours. In this dataset the CDF slope clearly changes around 12 hours of active lifetime, where it begins to increase exponentially. This may reflect the maximum number of work hours in a day. Prior to the change in slope for QQ, the percentage of participants is about 10-15% less than that for the Baidu Post Bar. We believe this reflects the advantages of instant messaging software to protect anonymity, which enhances the activity level in the underground markets. After the change in slope, the CDF curve rises rapidly, mostly due to the short monitoring period of only three months (about 2,000 hours). The distributions of the number of post bars/QQ chat groups in which participants are involved are shown in Figure (b). Here we find more than 85% of Baidu Post Bar participants only visited one post bar, while the most active participant posted messages on 34 different post bars. More than 25% of IP ranges used by anonymous participants appeared in more than two post bars; for registered participants the percentage is less than 8%. Such a difference might not be a true variance between the populations instead it could simply be the result of either several anonymous participants in the same C-class IP range or registered participants employing strategies of identity concealment (i.e., messaging from more than one user account or frequently changing their nicknames). In the QQ underground chat groups, 90% of participants appeared in only one monitored chat group; however this may be related to the limited scope of our monitoring of these groups. The CDFs of participants posts and threads are shown in Figure (c) and Figure (d), respectively. Participants of QQ chat groups seemed to be more active than participants of Baidu Post Bar. Prior to the change in slope that occurs around 16 messages, the CDF of QQ chat groups are 10-15% less than the Baidu CDFs. Once again this is evidence that the usage of IM software enhances the activity level of underground markets. In terms of number of threads in which participants are involved, there is no significant difference between participants on Baidu Post Bar and QQ chat groups. Roughly 50% of participants were involved in one thread, while more than 90% of the participants were involved in less than 8 threads. These distribution characteristics illustrate that the primary purpose of these underground markets is for advertising, not communication. Participants seem to rely on QQ private messages for communication in order to protect their anonymity.

37

4.3.4

Market Business Analysis

Distribution of goods and services behavior To analyze the business distribution of the datasets, we labeled posts with tags related to illicit goods and services accordingly. We also created labels for business behaviors including sale and want ads. Considering the difficulties in parsing some ambiguous Chinese words, and the fact that multiple goods were sometimes advertised in a single post, it makes labeling a complicated semantic understanding and classification problem. Because ads usually used jargon to obscure the information from uninitiated readers, we did not use machine-learning methods to create the classifications. Instead we wrote SQL stored procedures based on our translations of jargon keywords and our understanding of colloquial Chinese language. Using this system we were able to add tags to delineate types of goods and services as well as business behaviors. For less unique jargon keywords that may accidentally populate results with unrelated information, such as (jargon for material or banking information), we introduced exclusionary key words (such as liaoxiang and baoliao). These are both commonly used words that share the same character as materials, but have totally different meanings.). We also introduced more unique search terms containing the former keyword, such as and to recover improperly excluded data and thus achieve more precision. Business behaviors and country origin (domestic versus foreign) classifications were also tagged using the same strategy. After tagging posts with these different classifications on the Baidu Post Bar dataset, we discovered 369,476 distinct posts that were advertisements, and which accounted for about 49% of all posts. Among them, sale ads numbered 265,980 and want ads numbered 118,710, meaning that sale ads outnumbered want ads by more than two to one. In the network virtual assets theft value chain, sale ads outnumbered want ads by more than four to one, mainly due to the popularity of QQ coin and envelope sale ads. The real assets theft industry chain had fewer ads than the other three industry chains, perhaps because participants involved in this chain experience a higher degree of risk due to the severity of the crime. In the QQ dataset, we found 11,424 ads located in 76,516 messages, constituting 14.9% of all messages. The percentage of ads in the QQ dataset is much lower than in the Baidu dataset, further supporting our hypothesis that the instant messaging feature of QQ chat groups encourages interaction within the underground markets. In addition, the ratio of sales to want advertisements in the QQ dataset is higher than that of Baidu dataset.

38

Table 3. Advertisements of the Four Value Chains in the Underground Markets Value Chain Sale Ads on Baidu Want Ads on Baidu SaleWant Ratio Baidu 1.85 4.16 1.68 1.37 2.06 2.24 Sale Ads on QQ Want Ads on QQ SaleWant Ratio QQ 17.22 16.3 16.52 17.96 16.97 17.79

Real Assets Theft Network Virtual Assets Theft Internet Resources and Service Abuse Underground Hat Techniques, Tools, and Training Total (with duplicates) Total (duplicates deleted )

31,980 121,191 119,233 61,183 333,587 265,980

17,270 29,105 70,872 44,781 162,028 118,710

1,481 2,087 5,417 3,898 12,883 10,816

86 128 328 217 759 608

Figure shows the distribution of ads for goods and services from the processed Baidu Post Bar dataset for the four underground market value chains. In the real assets theft value chain, the most prevalent goods and services are banking information, banking info collection services, and POS fraud services, while for the network virtual assets value chain, they are QQ coins, envelopes, and boxes. All of the goods in the latter chain had a sale to want ratio of more than three to onethis surplus reflects the demand situation for online games in China.

Figure 16 The Distribution of Goods and Services Advertisements in the Baidu Post Bar Underground Markets

39

The top three goods and services in the Internet resource and services abuse chain are compromised hosts, service abuse, and website traffic, respectively. A noteworthy point for this value chain is that website traffic want ads outnumber sale ads by about 47%, showing the inability of supply to meet demand for this specific type of resource. In the blackhat techniques, tools, and training value chain the most common goods and services are Trojans and attack tools, blackhat training, and blackhat services. In blackhat training supply also falls short of demand, as want ads (i.e. seeking a master) outnumber sale ads (i.e. seeking an apprentice) by more than 54%. In addition, there are as many as 23,748 participants with these want ads, indicating that a large number of newbies want to learn and master blackhat techniques. These results suggest that the online underground economy will continue to maintain rapid growth with constant infusion of new blood unless law enforcement agencies implement effective and persistent countermeasures.
Table 4. Foreign and Domestic Goods Goods Banking Materials Compromised Hosts Controlled Servers Website Traffic Goods as a percentage of all advertisements 0.1% 0.3% 2.1% 0.4% Domestic goods advertisements 62.5% 72.5% 58.5% 69.5% Foreign goods advertisements 37.5% 27.5% 41.5% 30.5%

Table 4 shows the domestic or foreign origin of popular goods in the dataset. Few advertisements were obviously labeled domestic (nei, ) or foreign (wai, ); or with a unique country name, ranging from 0.1% for banking materials to 2.1% for controlled servers. However, according to our observations, the majority of unlabeled advertisements are related to domestic goods and services. Even in obviously labeled ads domestic ads are more prevalent than international ads. These results contribute to our hypothesis that the online underground economy online in China is still a very internally-oriented economy, unlike the Russian or Nigerian underground economies of information security which are export-driven [Group-IB 2012] [Herley 2012]. Business Distribution of Participants We also analyzed the distribution of roles in the online underground economy based on the type of ads posted by participants. We monitored 129,968 participants (52% of the total) who posted at least one advertisement. The business distribution among these participants is shown in Table 5. Because it is common for participants to be involved in more than one value chain, the sum of percentages exceeds 100%. The role with the most participants is envelope washing man with 29,916 participants, because this job does not involve blackhat techniquesthus it serves more as a gateway role to bring new participants into in the underground. 40

Table 5 Business Distribution of Participants in the Baidu Post Bar Underground Markets Chain Real Assets Theft Network Virtual Assets Theft Internet Resources and Services Abuse Blackhat Techniques, Tools, and Training Participants 21,460 58,963 67,003 Percentage 16.5% 45.5% 51.6% Major Role material master material washing man Trojan buyout man envelope washing man computer hacker website hacker Trojan author/agent 0day trader blackhat master blackhat apprentice Participants 14,524 8,345 20,486 29,916 16,078 14,259 18,945 421 8,140 11,439 Percentage 11.1% 6.4% 15.8% 23% 12.4% 11% 14.6% 0.3% 6.3% 8.8%

39,605

30.5%

Prices Extraction and Analysis Another aspect of our analysis was the five most popular and important types of goods, which are banking information, envelopes, compromised hosts, website traffic and trojans/tools. Although most goods advertised did not have a listed price, a small portion of posts did. We used common Chinese sentence models and regular expressions to extract price information from the ads, and then calculated the monthly average price for sales and purchases; we left blank months without any price information. For banking information, there is no specific pricing, rather a revenue sharing model is used to divide up illegal profits. In the few ads that did mention the specific method of revenue-sharing, the ratios used were typically split equally or you sixty and me forty [percent]. Distributions of sale and purchase prices for the other four goods are much more widely advertised, as shown in Figure . The common sale and purchase price of the envelope ranges from 1 to 3 RMB (about $0.2 to $0.5 USD), although low-price dumping occurred over a span of several months, with a sale price of lower than 0.5 RMB (about $0.1 USD). Website traffic, on the other hand, is always undersupplied in the market. Want ads outnumbered sale ads, and were always labeled with a clear purchase price. In most cases the asking price was higher than the selling price of the same month, to raise attention and draw more business. Thus it should be no surprise that purchase prices of website traffic are trending upward, climbing to 330 RMB (about $50 USD) per 10,000 IP visits by late 2011. Compromised host sale prices vary based on the type of host for sale, but the average price lies between 0.1 to 0.5 RMB (about $0.01 to $0.10 USD)such low prices indicate oversupply of compromised host resources in the online underground economy. Lastly, when looking at the market for Trojans/tools, the majority of the ads are posted by sellers rather than buyers, and average prices range between 100 to 1,000 RMB (about $15 to $150 USD). Typically Trojan or virus program want ads are seeking a particu-

41

lar type of Trojan or virus, and in this case purchase prices are generally higher than sale prices. For example, in our measured dataset, the highest purchase price was 2,000 RMB (about $300 USD). This tracking and analysis of prices for major goods and services sold in the underground markets can help the security community quantify the costs of certain attacks. For example, the cost of a DDoS attack with 1,000 compromised hosts in November 2011 was approximately 200 RMB (about $30 USD), using an average selling price of compromised hosts as low as 0.1 RMB (about $0.15 USD) and DDoS tools that averaged 100 RMB (about $15 USD). This approach of quantifying attack costs provides valuable reference information for deploying targeted security precautions.

Figure 17 The Distribution of Prices for Four Popular Goods in the Underground Markets

4.3.5

Cheating in the Underground

Apart from advertisements, there are many posts revealing fraudulent behavior from other participants in the underground markets. A considerable number of advertisements also contained warnings of fraud. Though underground markets function as online exchange platforms for collaboration on cybercrimes, they still exhibit bad faith transactions and criminals who try to cheat one another. Based on our understanding of posts and advertisements that warn against fraud, we prepared an SQL stored procedure to tag all mentions of cheating activity. Using this method we found 9,651 participants who described incidents of cheating in 15,980 posts, accounting for 2.1% of all posts. 3.9% of participants posted a damaging attack on another participant, suggesting that there is 1 in every 25 participants

42

who suffered serious cheating behavior and revealed the offender. The number of advertisements that contained warning information against fraudulence was 27,496, or 7.4% of all ads. These statistics verify the disorder and uncertainty present in the underground markets. Nonetheless, participants are still able to use other communication and payment channels to follow up with deals advertised in the open on an underground market, including QQ private messages and Alipay guaranteed payment so the online underground economy can continue operating. Due to the private nature of the followup on an initial post, we are unable to perform detailed measurement of further phases in the online underground economy.

4.4

Correlation between Cybercrime Cases and Underground Market Activity

In order to verify the relationship between underground markets and cybercrime cases, we analyzed the correlation between cybercrime case information and our measured dataset of underground markets. We selected four typical cybercrime cases (analyzed in the previous structural analysis section) through careful investigation of court profiles and media reports of these cases. We extracted specific information from these sources, such as the offenders nicknames and QQ numbers as well as the names of the malicious code or tools developed or used in the case. Next, we queried the underground markets dataset for posts that matched this information for every case, but only before the public exposure date of the case in question. Using this method we uncovered posts mentioning goods and services, related posts, and traceable clues fitting the information collected from each case, thus identifying the historical trail of these four cybercrimes in the underground markets. The correlation results are shown in Table 6 for the four investigated cases, all of which left clues in the markets. In the Topfox case, we found 98 posts from the dataset, prior to the public exposure date, all containing the nickname of the offenderTopfox. The first appearance of this nickname occurred in July 2005. We also found many sale ads of malicious programs that the offender developed before his arrest, including Topfox Downloader, Password Extractor (also known as Password Stammer), and Fox King Virus, with the first appearance in January 2004. The dataset information provides clear evidence of the offenders involvement in underground markets for at least four years before his arrest in 2008. Further exhausting review of related posts in the dataset revealed some critical tracing clues such as IP range, QQ number, and payment banking account, which would have been useful for law enforcement agencies to trace the offender or his accomplices, had they been actively investigating the underground in real-time.

43

Table 6 Historical Evidence of Known Cybercrime Cases Found in Underground Markets Case Topfox Public exposure date 2008-4-14 Case Information Topfox Topfox Downloader Password Stammer Password Extractor Fox King Virus 689565 www.krvkr.com Wuhan Boy 2005 Swordsman stress test Blandness horse Matched 98 3 290 346 6 1 155 42 6 128 First appearing 2005-7-8 2006-11-11 2004-1-12 2004-2-26 2005-6-30 2007-1-23 2007-1-14 2004-12-22 2008-12-29 2008-1-26 Latest appearing 2008-2-26 2007-8-15 2008-4-1 2008-4-1 2007-7-5 2007-1-23 2007-2-10 2007-2-10 2009-9-24 2008-8-3 Clues

IP QQ number Bank account

Panda burning incense

2007-2-12

Swordsman DDoS Blandness Trojan

2009-11-27 2008-8-6

Whois website, IP website, IP Website, QQ

Based on the above results, we have grounds to believe that monitoring underground markets can help to identify, track and prevent a portion of on-going cybercrime activities, and can also provide critical evidence for criminal investigations. Therefore, cybercrime emergency response teams and law enforcement agencies should continuously track and monitor the underground.

44

Discussion and Conclusion

In this paper, we carried out a comprehensive and in-depth investigation of the Chinese online underground economy in cyberspace. Through the measurement of underground markets, we were able to observe typical advertisements and communication behaviors, and present a detailed empirical analysis of the Chinese online underground economy online. Participants in the online underground economy engage in illegal activities and violate laws while simultaneously attempting to remain undetected. Thus, underground markets are primarily for advertisement purposes, and further illicit activities including communication, bargaining, transaction and payment are most likely to occur via private messages and peer-to-peer transmission. Some high-tier aspects of the online underground economy, such as trading of 0day vulnerabilities, selling business intelligence, and Advanced Persistent Threat (APT) tasks are likely to occur in even more hidden and secure communication channels between small groups with mutual trust. As researchers outside of law enforcement agencies, we have no other way to conduct a more comprehensive survey on the phases further down the transaction chain or the high-tier aspects of the online underground economy. Although our estimate remains in many ways incomplete and conservative, we found that the Chinese online underground economy has developed a complicated and well-organized structure, with dozens of profit models deriving from four different value chains. We estimate the overall damage in 2011 to have exceeded 5.36 billion RMB (852 million USD), endangering 110.8 million Internet users and 1.1 million websites. Our measurement of the underground markets also found that online underground markets have experienced rapid growth, in both the number of posts and the number of participants: in 2011, there were at least 90,000 participants involved in the underground markets, posting more than 320,000 messages belonging to 80,000 threads. This growth is a burgeoning trend not likely to diminish any time soon without intervention. Our long-term empirical analysis of the underground markets dataset reveals the structural and quantitative characteristics of the Chinese online underground economy of information security, including market behavior, participant distribution, market business, and fraudulent behavior. In addition, we correlated four typical cyber-crime cases with activity in our underground markets dataset and found potential evidence to support the criminal cases. This analysis suggests that monitoring underground markets can play a significant supporting role in cybercrime countermeasures. Therefore, Chinese network security regulatory authorities and law enforcement agencies should build a more comprehensive monitoring system of the underground markets, and establish standard procedures of investigation and digital forensics of suspicious cybercriminals, within the scope of legal authorization. 45

They should also engage in more global collaboration with other countries and international organizations to respond effectively to transnational cybercrime cases. Effective legal countermeasures will contribute to the fight against cybercrime and deter participants of online underground economy, thereby protecting the privacy and property of Chinese Internet users. Although the monitoring of underground markets by law enforcement agencies may lead to more concealment in the underground markets, it will also weaken the activities of online underground economy. Any monitoring of the online underground economy and cybercrime countermeasures must be continuous and long-term to achieve the best effects. Lastly, a word on the gray value chains that threaten Internet infrastructure and Internet users, they do not yet violate existing legal provisions in China, such as network virtual assets theft, theft of privacy information, and Internet services abuse. The priority of law enforcement agencies should be to establish legal protection of individuals private information and network assets by means of legislation. In China, the Citizens Personal Information Protection Law has been gaining support for six years, yet to this day it has not officially begun the legislative process. During the Two Sessions in 2012 (the annual meetings of the National Peoples Congress and the Chinese Peoples Political Consultative Congress), the law reemerged as the focus of social concern. In terms of protecting network virtual assets, some courts have cited the property features of network virtual assets to convict cybercriminals involved in network virtual assets theft. However, there is still no clearly defined legal protection for network virtual assets. The rapid growth of the Chinese online underground economy must be abated. Only under a framework of well-formed laws and regulations, more effective measurement and tracking techniques by law enforcement agencies, and a variety of threat protection measures from commercial security vendors, can the risks and hazards of cybercrime suffered by Chinese Internet users be reduced.

46

Acknowledgements
We thank Mao Jun of Beijing University of Posts and Telecommunications and Hou Leijie of Beijing Information Science & Technology University for their help measuring the underground markets. We also thank Prof. Stefan Savage, Dr. Jon Lindsay, Prof. Vern Paxson, and Dr. Nicholas C. Weaver for their suggestions and comments to help improve this paper. We also thank the following friends who provided help obtaining the threat reports (in alphabetical order of company name and Chinese surnames): Li Baisong and Xiao Xinguang of Antiy laboratory; Li Tiejun and Wang Haitang of Kingsoft; Wang Yu and Zhao Wu of Qihoo 360; Zou Shihong of Net Qin; and Yang Jilong and Zhao Wei of KnownSec. This work is partially supported by the National Natural Science Foundation Project (61003127), and the University of California Institute of Global Conflict and Cooperation. The views and conclusions of this paper are those of the authors only, and should not be interpreted as representing official policies or sponsor endorsements.

47

References
[CNNIC 2012] CNNIC, the 29th China Internet Development Statistics, http://www.cnnic.cn/research/bgxz/tjbg/201201/P020120116330880247967.pdf, published Jan 2012, accessed March 2012. In Chinese. [CSDN Case 2012] People.com.cn, Beijing police uncovered CSDN website user data leakage case, http://legal.people.com.cn/GB/203936/17442219.html, published March 2012. Accessed March 2012. In Chinese. [QQ 2012] Tencent QQ and IResearch: Personal Internet Security Report of the Second Half of 2011. http://guanjia.qq.com/security/report2011, published 2012, accessed March 2012. In Chinese. [CCTV 2012] CCTV 315 evening party, Employees of China Merchants Bank and ICBC were discovered to sell customers personal information to cybercriminals. http://finance.sina.com.cn/consume/puguangtai/20120315/214311601127.shtml, published March 2012, accesed March 2012. In Chinese. [Chen 2006] Chen MQ., Research of Internet Dark Industry Chain in China, Modern Science & Technolgy of Telocommunications, 2006(11): 8-11. In Chinese. [Du 2007] 21st Century Business Herald, Network attacks driven by underground economy growth, four national ministries jointly perform coordinated operations against the cybercrime, http://www.bigsea.com.cn/archives/386/, published January 2007, accessed March 2012. In Chinese. [Zhuge 2008a] J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying Malicious Websites and the Underground Economy on the Chinese Web, In Proceedings of the 7th Workshop on the Economics of Information Security (WEIS08), Hanover, NH, USA, June 2008. [Zhuge 2008b] J. Zhuge, Y. Zhou, J. Guo, et al. Malicious Websites on the Chinese Web: Overview and Case Study, 20th Annual FIRST Conference (FIRST08), British Columbia, Canada, June 2008. [TopFox report 2009] CCTV, CCTV 3.15 Evening: Large numbers of personal information sold for profit online, http://boxun.com/news/gb/china/2009/03/200903152322.shtml, published March 2009, Accessed March 2012. In Chinese. [TopFox Case 2008] Peoples Court of Wuxi City, Jiangsu Province, court trial records of Jin X etc. Credit Card Fraud and Theft case, published 2008 via Chinalawinfo.com, accessed March 2012. In Chinese. 48

[Panda Report 2007] Xinhua Net, uncover the network virus industry chain from Panda case, http://news.xinhuanet.com/legal/2007-02/16/content_5745932.htm, published February 2007, accessed March 2012. In Chinese. [Panda Case 2007] Peoples Court of Xiantao City, Hubei Province, court trial records of Li X etc. Destruction of computer information systems case, published 2007 via Chinalawinfo.com, accessed March 2012. In Chinese. [Swordsman Case 2009] Peoples Court of Wuxi City, Jiangsu Province, court trial records of Hu X and Li X. Destruction of computer information systems Case, published 2009 via Chinalawinfo.com, accessed March 2012. In Chinese. [Swordsman Report 2009] Peoples Daily Online, Two criminals engaged in paralysis website to extort 500 million taels of silver was sentenced, http://game.people.com.cn/GB/48644/48662/10589122.html, published December 2009, accessed March 2012. In Chinese. [Blandness Report 2009] Xinhua Net, The countrys largest case of manufacturing and selling Trojan sentencing perpetrators of more than 100 people from 16 provinces and cities, http://news.xinhuanet.com/legal/2009-12/16/content_12656680.htm, published December 2009, accessed March 2012. In Chinese. [CNNIC 2011] CNNIC, the 28th China Internet Development Statistics, http://www.cnnic.net.cn/dtygg/dtgg/201107/W020110719521725234632.pdf, published July 2011, accessed March 2012. In Chinese. [360 2012a] Qihoo 360 Security Center, 360 and Yeepay released the 2011 Payment Security Report, http://bbs.360.cn/5473016/252581925.html?recommend=1, published January 2012, accessed March 2012. In Chinese. [APAC 2011] Anti-Phishing Alliance of China, Monthly reports of Phishing Website Dealment, http://www.apac.org.cn/gzdt/, published 2011, accessed March 2012. In Chinese. [360 2012b] Qihoo 360 Security Center, Chinese Network Security Report of Year 2011, http://w.qhimg.com/images/v2/site/360/2011report/2012.pdf, published February 2012, accessed March 2012. In Chinese. [Rising 2012] Rising company, Risings Enterprise Security Report of Year 2011, http://www.rising.com.cn/about/news/rising/2012-02-08/10853.html, published February 2012, accessed March 2012. In Chinese. 49

[ICBC Victims 2006] Collective Rights Union of ICBC Internet Banking victims, http://www.ak.cn/liebiao.htm, published 2006, accessed March 2012. In Chinese. [ICBC data 2007] ICBC Website, ICBC wins another first prize for Chinas online bank evaluation,http://www.51credit.com/HangYe/YeJieDongTai/T-YeJieDongTai/article170072.shtml, published February 2007, accessed March 2012. In Chinese. [ICBC data 2011] Securities Times, The number of ICBC Personal Internet Banking customers now over 100 million, http://www.p5w.net/today/201104/t3572526.htm, published April 2011, accessed March 2012. In Chinese. [IResearch 2011] DynamiCode, IResearch Consulting: 2010-2011 Online Banking Annual Monitoring Report, http://www.dynamicode.com.cn/Chinese/NewsInfo.Asp?ID=850&ClassID=45, published September 2011, accessed March 2012. In Chinese. [Payment Market 2012a] The market investigation report of Chinese 3rd payment for Year 2010-2013, http://blog.csdn.net/tommyhp/article/details/7033884, published January 2012, accessed March 2012. In Chinese. [Payment Market 2012b] The Beijing News, Third-party payment market doubled, http://big5.ifeng.com/gate/big5/tech.ifeng.com/internet/detail_2012_02/23/12715156_0.shtml, published February 2012, accessed March 2012. [Kingsoft 2011] Kingsoft Security, First half of 2011: Chinas Online Shopping Security Report, http://www.iKingsoft.com/download/2011zgwlgwaqbg.pdf, published August 2011, accessed March 2012. In Chinese. [gov.cn 2011] Government Website, Ministry of Public Security announces 10 cases of Skynet -2011 action, http://www.gov.cn/fwxx/sh/2011-12/30/content_2033631.htm, published Dec 2011, accessed March 2012. In Chinese. [Yiguan 2011] Yiguan, the third-party payment market quarterly monitoring for Year 2011, http://tech.qq.com/a/20120220/000392.htm, published Feb 2012, accessed March 2012. In Chinese. [OnlineGame 2011] 2011 Chinese Online Games Industry Report, http://games.qq.com/a/20120109/000095.htm, 2011. [iResearch 2011b] iResearch, 2011 Online Game Market Core Data Release, http://www.iresearch.com.cn/coredata/2011q4_4.shtml, Published 2011, accessed March 2012. In Chinese. 50

[360 2011] Qihoo 360 Security Center, First half of 2011: Online Game Industry Security Report, http://bbs.360.cn/3229787/250724377.html?recommend=1, published July 2011, accessed March 2012. In Chinese. [CNCERT/CC 2012] CNCERT/CC, CNCERT/CC Annual Security Report of 2011, http://www.cert.org.cn/UserFiles/File/201203192011annualreport(1).pdf, published March 2012, accessed March 2012. In Chinese. [Kingsoft 2012] Kingsoft, Chinese Internet Security Report for 2011. http://www.ijinshan.com/news/20120217001.shtml, published February 2012, accessed March 2012. In Chinese. [NetQin 2012] NetQin Mobile Inc., 2011 Mainland China Mobile Security Report, http://www.netqin.com/upLoad/File/baogao/20120112.pdf, published January 2012, accessed March 2012. In Chinese. [KnownSec 2012] KnownSec company, Chinese Internet website security reports of 2011 to 2012, http://preview.tinyurl.com/877fqwb, published March 2012, accessed March 2012. In Chinese. [Group-IB 2012] Group-IB, State and Trends of the Russian digital crime market 2011, http://groupib.com/images/media/Group-IB_Report_2011_ENG.pdf, accessed June 2012. [Herley 2012] Cormac Herley, Why do Nigerian Scammers Say They are From Nigeria? Economics of Information Security and Privacy, June 2012, Berlin Germany. [Thomas 2006] Rob Thomas, Jerry Martin. the underground economy: priceless, USENIX, 31(6). [Franklin 2007] Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants. In: Conference on Computer and Communications Security, CCS (2007). [Holt 2010] Thomas J. Holt, Eric Lampke. Exploring stolen data markets online: products and market forces. Criminal Justice Studies: A Critical Journal of Crime, Law and Society. 23(1), 2010. [Herley 2010] Cormac Herley, Dinei Florncio. Nobody sells gold for the price of silver: dishonesty, uncertainty and the underground economy. Economics of Information Security and Privacy 2010, 33-53. [Stone-Gross 2009] Brett Stone-Gross, Marco Cova, et al. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security (CCS 09). 635-647, New York, NY, USA.

51

[Li 2009] Zhen Li, Qi Liao, Aaron Striegel. Botnet Economics: Uncertainty Matters, Managing Information Risk and the Economics of Security, book chapter, 245-267. Springer US. [Cova 2008] Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2008. There is no free phish: an analysis of free and live phishing kits. In Proceedings of the 2nd conference on USENIX Workshop on offensive technologies (WOOT08). USENIX Association, Berkeley, CA, USA. [Kreibich 2009] Kreibich C, Kanich C, Levchenko K, Enright B, Voelker GM, Paxson V and Savage S. Spamcraft: an inside look at spam campaign orchestration. In: Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more. Boston, MA: USENIX Association. [Kanich 2008] Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V and Savage S. Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM conference on Computer and communications security. Alexandria, Virginia, USA: ACM, 2008. 3-14. , published 2008, accessed March 2012. [Levchenko 2011] Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, et al, Click Trajectories: End-toEnd Analysis of the Spam Value Chain, Proceedings of the IEEE Symposium and Security and Privacy, pages 431446, Oakland, CA. [Daswani 2007] Neil Daswani, Michael Stoppelman. The anatomy of Clickbot.A. In Proceedings of the First Workshop on Hot Topics in Understanding Botnets (HotBots07). USENIX Association, Berkeley, CA, USA. [Christin 2010] Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki. Dissecting one click frauds. In Proceedings of the 17th ACM conference on Computer and communications security (CCS 10). ACM, New York, NY, USA, 15-26. [Caballero 2011] Juan Caballero, Chris Grier, Christian Kreibich, Vern Paxson. Measuring Pay-perInstall: The Commoditization of Malware Distribution, Proceedings of the 20th USENIX Security Symposium (Security 11), San Francisco, California.

52

The Institute on Global Conflict and Cooperation (IGCC)

Since 1983, the University of California Institute on Global Conflict and Cooperation (IGCC) has generated innovative research into the causes of international conflict and cooperation. As a research unit serving the entire UC system, IGCC can build project teams from any of the ten UC campuses and the Lawrence Livermore and Los Alamos National Laboratories. Founded by nuclear physicist Herbert F. York, IGCCs original emphasis on security and nuclear nonproliferation remains at its core, but its agenda has broadened with time. Today, IGCC researchers study a wide range of topics involving the security, environmental, and economic policies that shape our ability to prevent conflict and promote cooperation. Under the leadership of director Tai Ming Cheung, IGCCs work in its core areas are balanced by the recognition that evolving threats to global stability require exploration of nontraditional connections between and across disciplines and institutions. Projects in newly emerging fields such as cybersecurity, global health diplomacy, and infrastructure resiliency are complements to projects with a more traditional security focus. IGCC is committed to educating the next generation of international problem-solvers and peacemakers through its research and teaching activities. The institute has provided more than 470 fellowships to UC graduate students. More information can be found at www.igcc.ucsd.edu. IGCCs Project on the Study of Innovation and Technology in China (SITC) Under the leadership of Tai Ming Cheung, The Project on the Study of Innovation and Technology in China (SITC) examines Chinas drive to become a world class defense and dual-use technological and industrial power and the security and economic implications of this transformation for U.S. national security. The overarching aims of this project are two-fold: 1) it will provide rigorous analysis and new data on the vital but neglected issue of the nature and trajectory of Chinas military technological rise; and 2) it will cultivate a new generation of scholars and policy analysts knowledgeable on Chinese security and technology issues. This project is funded by a $9.6 million grant from the U.S. Defense Department s Minerva program. The primary goals of the five-year project are to: 1) conduct inter-disciplinary investigation into the dynamics of the evolution of the Chinese defense and dual-use science, technology and industrial (STI) bases; 2) locate this research within a broader functional and comparative framework that contrasts China s experience with other states; 3) address the national security implications of Chinas military and technological transformation for the U.S. and international community; and 4) train a new generation of scholars 53

and policy analysts and help develop the field of Chinese security and technology studies. IGCC will partner with the Hoover Institution at Stanford University and Stockholm International Peace Research Institute in these endeavors. SITC is comprised of six research projects: 1) annual assessments of the reform and modernization of critical sectors in Chinas defense and dual-use STI base; 2) compare Chinas approach to technology development, defense industrialization and forging of a dual-use base with peer competitors and latecomers; 3) analysis of the political economy of Chinas defense S&T and technological rise; 4) Chinas technological development and implications for U.S. and international technology trade policies; 5) the nature of the structures, processes and leaderships of the Chinese civilian and defense S&T systems; and 6) historical influences on contemporary Chinese grand strategic thinking on S&T. A relational database project supports quantitative and network analysis of data from these projects. Output includes annual reviews of the Chinese defense STI base, edited volumes, journal articles, working papers, and online briefings. SITC provides internships and fellowships for graduate students and postdoctoral researchers to participate in these projects and encourages them to focus on Chinese security and technology issues in their future careers. SITC also conducts briefings related to Chinese science and technology issues to policy and defense audiences and organizes a two-week Summer Training Workshop on the Relationship between National Security and Technology in China. More information can be found at www.igcc.ucsd.edu/SITC.

54