DDoS Attacks for Hire: How the Gambling Crave Fuels Cybercrime in China

ddos-attack-Banner-DDos_1920x960-1024x512

The Forbidden Fruit – Gambling in China

Many card and board games are believed to have originated in Ancient China. Some of these games involved betting and gambling and they have been an inherent part of the Chinese leisure culture for centuries.

This changed when the Communist Party seized power in 1949, declaring gambling a “corrupt, feudal practice” and hence strictly banned by law.

When the Reform and Opening-up policy was introduced in China in the late 1970’s and early 1980’s, the authorities have somewhat released their strong grip on gambling and card games. Gaming and carding parlors (known in Chinese as 棋牌室, literally meaning “chess and card rooms”) sprang up in every street corner and card games and private betting among groups of friends thrived. Despite this, gambling remained illegal outside the two national lotteries (the China Sports Lottery and the China Welfare Lottery) and these establishments were far from satisfying the crave.

What do you do when your Favorite Pastime is Forbidden by Law?

Travel to Casino Hubs Abroad

A partial solution was found overseas. Chinese gamblers have flocked to casinos around the globe and went to neighboring Hong Kong to participate in horse race betting. And then there was Macau – with the help of the Chinese government, the former Portuguese colony just across the border from Guangdong Province has become the world’s largest casino center, surpassing Las Vegas since 2006.

Another casino hub attracting hordes of Chinese gamblers in recent years is the Philippines, where the hosting and entertainment industry, catering to the needs of the Chinese, was booming until the outburst of Covid-19 pandemic. This is manifested in job openings in the Philippines for Chinese nationals, many of which re published in dubious online platforms, such as QQ and Telegram groups dedicated to gambling and fraud as well as in Chinese-language underground forums. Another negative side to this craze is gambling-related crime, which has escalated in the Philippines over the past years.

However, traveling abroad is not accessible to everyone in China with a crave for gambling and even those who do travel, cannot always travel as often as they’d want to. There was a market rip for solutions, and with travel restrictions following the outburst of Covid-19 pandemic, this market’s potential grew even larger.

From Casino Hubs to Online Gambling Arenas

they satisfied the Chinese gambling community for about a decade. Since then, China has outlawed online gambling as well and the active websites are also situated offshore, on servers located outside the country.

These online casinos, gaming websites and gambling arenas cause a big headache to the Chinese Communist Party. If a decade ago the authorities have largely turned a blind eye to this phenomenon, nowadays, with the clear aim to promote a “civilized, harmonious society”, China sees it as a challenge and tries to fight these online platforms. Of course, these moral considerations, important as they may be, are dwarfed by the financial problem, as online gambling is draining hundreds of millions of yuan out of the country. Yet China is finding it hard to stop websites that are registered and operated abroad, especially when the hosting counties, such as the Philippines, are not so keen on cooperating.

Enter Cybercrime

The size of the market is a huge business incentive, creating more and more actors and fierce competition. These online casinos use various methods in order to lure more gamblers onto their websites. One of these methods, is fraud. For example, one of the common frauds that takes place is when fake gambling websites pretend to be official sites of famous casinos in Macau.

But competition does not stop there. In order to gain bigger chunks of online traffic, gambling websites fight and attack one another, and their weapon is – ironically – online traffic.

chinese-gambling-website-1024x519

Chinese Gambling Website Posing as Macao’s Venetian Official Online Casino

The DDoS Fighting Ring

Chinese hackers are more than eager to lend a helping hand. As most state-sponsored cyber activities handled by patriotic hacking groups from the early 1990’s until about a decade ago, are now under the wings of the Chinese intelligence apparatus, many idle hackers have turned into cybercrime, looking for easy profit. This type of cybercrime is mostly directed inbounds.

One of the ways in which Chinese hackers are involved in the online gambling industry is by breaching online casinos and gaming websites, stealing their user data and selling it on Darknet marketplaces or offering it on designated QQ and Telegram groups.

gambling-site-database-leak

Sample from a Gambling Site Database Leak,
Offered for Sale on a Chinese Darknet Marketplace

Another way, which drives a whole underground sector of cybercrime in China, is by conducting DDoS attacks against competitors. These attacks take the gambling websites down and thus, hopefully, drive their customers to the gambling site that ordered the attack.

DDoS has also become a popular weapon for pornography websites and Darknet marketplaces, who launch DDoS attacks against each other. For example, China’s largest online marketplace on the Darknet, has experienced a large-scale DDoS attack during the summer, disrupting its activity for several weeks.

flashing-ads

Flashing Ads on a Chinese Hacking Forum, Offering Tailor-made DDoS Attacks,
among other Hacking Services

The DDoS Chain

The first step in a DDoS attack is to gain control of a large number of computers and other online devices and to turn them into bots, in order to divert huge traffic to the attacked website and thus shut it down. In Chinese hacking slang, these computers are named “broilers” or “meat chickens” (肉鸡). Members of Chinese underground hacking forums constantly offer tools for detecting these “broilers”, namely scanners that trace vulnerabilities in computers and servers. These tools allow the attacker to penetrate these vulnerable devices, implant trojans in them and hence control them remotely. The tools are referred to in Chinese as “Chicken Catchers” (抓鸡) and hackers who operate on those forums trade them between themselves.

broiler-detection

‘Broiler’ Detection Tool Offered on a Chinese Hacking Forum

In addition to buying tools to detect “broilers”, DDoS attackers can also buy these “broilers” directly, as these are sold in bulks on forums and designated QQ/Telegram groups. Based on the number of messages in forums and chat groups, of people requesting to buy “broilers”, it is quite clear they are in high demand.

The customers of the “broiler” market are in turn becoming the suppliers of DDoS attacks and offer their tailor-made services online. Whoever orders the attack can contact the attacker via private messaging, define the target and agree on a price according to the length of the attack and the nature of the attacked website. According to a report published by the Chinese tech firm Tencent, this is what the chain of custom-made DDoS attacks looks like:

DDOS-diagram-1024x595

The Offer: DDoS as-a-Service

The screenshot below, showing an offer posted on a prominent Chinese Darknet marketplace, can shed light on the how these DDoS as-a-service transactions are conducted. It also demonstrates what kind of websites are legitimate targets and which websites are off-limits, for fear of being prosecuted by the authorities. The post reads:

ddos-as-a-service

DDoS as-a-service Offer Posted on Chinese Darknet

Translation:

ddos-as-a-service-translation

Hunting Down Cybercriminals

Chinese law enforcement authorities are well aware of this problem and are relentlessly trying to crack down these cybercriminals and their activities. In late 2018, a man in his twenties from Suining County, Jiangsu Province, was arrested by local authorities, after discovering he had implanted a malicious code, which allowed him to remotely control a local server. During his investigation, he admitted to being part of a team of at least 20 hackers from all over the country that had used “broilers” in order to conduct DDoS attacks by demand.

The team had been involved in more than a hundred DDoS attacks, harming or controlling more than 200,000 websites and earning more than 10 million yuan along the way. Members of the team were arrested across China, yet this only emphasized the magnitude and popularity of the DDoS and DDoS as-a-Service markets, and the success of taking down this cybercriminal operation was merely a drop in the ocean.

Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

Chinese Hackers Leverage World-Cup Buzz

On May 14th we brought you a report regarding hacktivists threatening to wage cyber attacks against the Brazilian government and FIFA. This time, we are publishing yet another World-Cup-related post, but from a slightly different angle.

China, the world’s most populous country, is also the world’s leader in terms of number of cellphone users. The smartphone revolution did not skip China, and oh boy did it make an impact! Chinese people love their phones. No, Chinese people are obsessed with their phones might be a more precise choice of words.

As you probably know, Chinese cities are not small (quite an understatement!), and commute time has to be killed somehow. That’s why riding the subway in China, except for being overwhelmingly crowded at times, is also just the perfect timing for many passengers to indulge in intensive game-playing! While some prefer to fiercely ride a digital motorcycle, shoot intruding aliens, or grow vegetables in a farm, others have a liking for sports games, perhaps as a compensation for rotting in front of a computer desk all-day-long. The latter will inevitably come across a bundle of World-Cup related game apps available on all application markets.

Image

World-Cup is a buzz-word, no doubt about it, and as such, it attracts not only the gamers’ attention, but the hackers’ as well, and the Chinese hackers know their onions, all right. They leverage the buzz and try to con unwary mobile users into downloading and installing infected apps. The hackers use the “repacking” method – they download a legit and innocent game app, plant a malicious code within it, and upload it once again to the app market, or to a forum. The compromised app looks just the same – it has the same icon, its name is almost identical, and the user has virtually no way of noticing any abnormality after having it installed.

Actually, this is not the first time we see this method being practiced – Chinese hackers use just the same mischief whenever a national holiday is being celebrated, a major event (be it national or international) takes place, or just when some application garners a lot of popularity.

There is a famous story in China about a farmer in the Spring and Autumn Period (approx. 771 to 476 BC) who was working in the fields, when a rabbit was running by and suddenly dashed into a tree stump. The joyful farmer brought the dead rabbit home and cooked it for dinner exclaiming that there is no need for him to work any longer, as he can simply sit by that stump and wait for more rabbits to knock dead into it. This story gave birth to the idiom 守株待兔(literally “to watch the stump and wait for rabbits”) meaning “to trust chance and luck rather than go working”. The Chinese hackers who use this “repacking” method are just modern lazy farmers, patiently awaiting unlucky mobile-users to fall prey to their hands.

Even though this post is China-focused, it is important for you to bear in mind that this “repacking” method can be easily implemented anywhere. We urge you to download applications only from official sites and app-markets, and to install an antivirus on your mobile device.

Don’t be a rabbit!

And with all that being said, we wish safe-gaming to all World-Cup enthusiasts, and good luck to all participating countries!

This Little Rhino Went to the (Underground) Market…

Illegal Trade in Ivory

The Internet is the world’s largest marketplace. Anything can be bought and sold, and with Internet access available in almost every corner of the earth, many people trade and profit from this wonderful platform. What most people do not realize is that you can buy or sell just about anything online. Sure, there are some obscure memorabilia which can be bought on eBay or its Chinese equivalents, but for more hardcore items, like contraband goods, you have to delve deeper into the web  to understand the scope of the trade.

One such  item is rhino horn. This illustrious item, made of keratin (the same type of protein that makes up hair and fingernails) is surreptitiously sought after for ornamental or traditional medicinal purposes in East Asia, specifically Vietnam and China. The rhino horns are removed from slaughtered animals all over Africa, taken to central warehouses and distribution centers and then shipped to the East, toward southeast Asia.

This trade is an ancient one and certainly precedes the Internet, but what is conspicuous today is that the Internet has become an essential virtual marketplace, where distributors, buyers and sellers communicate and trade. One platform where this  is taking place is Baidu Space (百度空间) – a popular online social networking service provided by China’s Internet giant Baidu, which also runs the country’s most popular search engine. There are many active users trade in rhino horns on this platform.

One such user is “zt04010623”. Not much is known about this individual, other than the fact that he is a married male university graduate in his 30’s, living in the Beijing metropolitan area. Messages on zt04010623’s “wall” in his Baidu Space account reveal his extensive engagement in the trade – most address ivory, ivory products and rhinoceros horns. Below are some samples:

A user named ssssssdddddwww asked: “Is it true that you buy ivory carvings? Where?”

A user named SUNTORY19895 wrote: “I’m a bit confused regarding how much I should ask for my ivory necklace. Can you take a look and give me a rough estimate?” 20 days later zt04010623 answered: “Yes, I can. Send it to me and I’ll have a look.”

A user named wwlleon9 asked: “Hello, can you get ivory from abroad?” On June 1, zt04010623 answered: “Ha ha, add my QQ number XXXX (Instant messaging service, popular in China).

A user named “Dark Blue Qinqin (深蓝的钦钦) wrote: “Hello brother, I have two ivory bracelets that my father’s friend brought from Equatorial Guinea when I was little. I have had them for about 15 years now. I heard that you buy, right? I wanted to ask how much? Please let me know. Thanks.”

A user by the name “Private Ivory Art (个体牙艺)13” wrote: “If you need ivory carvings, please contact me.” On January 18, zt04010623 sent his QQ number in response.

A picture of ivory taken from “Private Ivory Art’s” profile
A picture of ivory taken from “Private Ivory Art’s” profile

zt04010623 also shared his photo albums:

Ivory_2

Ivory_3

Ivory_4

In addition to his activity on Baidu Space, zt04010623 is also active on Baidu Knows (百度知道), an extremely popular Web service provided by Baidu where users can raise questions and/or answer them.

Since opening an account in Baidu Space, zt04010623 has already participated in 193 conversations and supplied 212 answers, most of which are related to ivory, ivory products and rhino horns. His intensive participation in these conversations has undoubtedly boosted his reputation as an ivory expert, and therefore many people approach him directly on his personal space with inquiries.

zt04010623 pays particular attention to the following keywords on Baidu Knows: ivory, rhino horns and ivory carvings. For instance, when a user asked: “Where can one buy genuine ivory in Tanggu district?” The next day, zt04010623 answered: “I have a friend who can help you. Please contact me.”

Some parts of the discussions clearly illustrate the illegal nature of the trade, such as a discussion where a user asked: “In which countries does the customs office not forbid importing ivory from countries that manufacture ivory?” zt040100623 answered: “Ha ha, I reckon you should have asked in which county are customs most loose. Go for small countries with unstable regimes, over there, customs exist in name only. Just give them some money and you can pass.”

As this individual shows, this kind of trade blossoms on the Internet, which has made communication between suppliers, sellers/distributors and customers so much easier, and the perceived anonymity of the web allows this illegal trade to take place interrupted, leading to large profits for all involved (all but the poor rhinos, now on the verge of extinction).