DDoS Attacks for Hire: How the Gambling Crave Fuels Cybercrime in China

ddos-attack-Banner-DDos_1920x960-1024x512

The Forbidden Fruit – Gambling in China

Many card and board games are believed to have originated in Ancient China. Some of these games involved betting and gambling and they have been an inherent part of the Chinese leisure culture for centuries.

This changed when the Communist Party seized power in 1949, declaring gambling a “corrupt, feudal practice” and hence strictly banned by law.

When the Reform and Opening-up policy was introduced in China in the late 1970’s and early 1980’s, the authorities have somewhat released their strong grip on gambling and card games. Gaming and carding parlors (known in Chinese as 棋牌室, literally meaning “chess and card rooms”) sprang up in every street corner and card games and private betting among groups of friends thrived. Despite this, gambling remained illegal outside the two national lotteries (the China Sports Lottery and the China Welfare Lottery) and these establishments were far from satisfying the crave.

What do you do when your Favorite Pastime is Forbidden by Law?

Travel to Casino Hubs Abroad

A partial solution was found overseas. Chinese gamblers have flocked to casinos around the globe and went to neighboring Hong Kong to participate in horse race betting. And then there was Macau – with the help of the Chinese government, the former Portuguese colony just across the border from Guangdong Province has become the world’s largest casino center, surpassing Las Vegas since 2006.

Another casino hub attracting hordes of Chinese gamblers in recent years is the Philippines, where the hosting and entertainment industry, catering to the needs of the Chinese, was booming until the outburst of Covid-19 pandemic. This is manifested in job openings in the Philippines for Chinese nationals, many of which re published in dubious online platforms, such as QQ and Telegram groups dedicated to gambling and fraud as well as in Chinese-language underground forums. Another negative side to this craze is gambling-related crime, which has escalated in the Philippines over the past years.

However, traveling abroad is not accessible to everyone in China with a crave for gambling and even those who do travel, cannot always travel as often as they’d want to. There was a market rip for solutions, and with travel restrictions following the outburst of Covid-19 pandemic, this market’s potential grew even larger.

From Casino Hubs to Online Gambling Arenas

they satisfied the Chinese gambling community for about a decade. Since then, China has outlawed online gambling as well and the active websites are also situated offshore, on servers located outside the country.

These online casinos, gaming websites and gambling arenas cause a big headache to the Chinese Communist Party. If a decade ago the authorities have largely turned a blind eye to this phenomenon, nowadays, with the clear aim to promote a “civilized, harmonious society”, China sees it as a challenge and tries to fight these online platforms. Of course, these moral considerations, important as they may be, are dwarfed by the financial problem, as online gambling is draining hundreds of millions of yuan out of the country. Yet China is finding it hard to stop websites that are registered and operated abroad, especially when the hosting counties, such as the Philippines, are not so keen on cooperating.

Enter Cybercrime

The size of the market is a huge business incentive, creating more and more actors and fierce competition. These online casinos use various methods in order to lure more gamblers onto their websites. One of these methods, is fraud. For example, one of the common frauds that takes place is when fake gambling websites pretend to be official sites of famous casinos in Macau.

But competition does not stop there. In order to gain bigger chunks of online traffic, gambling websites fight and attack one another, and their weapon is – ironically – online traffic.

chinese-gambling-website-1024x519

Chinese Gambling Website Posing as Macao’s Venetian Official Online Casino

The DDoS Fighting Ring

Chinese hackers are more than eager to lend a helping hand. As most state-sponsored cyber activities handled by patriotic hacking groups from the early 1990’s until about a decade ago, are now under the wings of the Chinese intelligence apparatus, many idle hackers have turned into cybercrime, looking for easy profit. This type of cybercrime is mostly directed inbounds.

One of the ways in which Chinese hackers are involved in the online gambling industry is by breaching online casinos and gaming websites, stealing their user data and selling it on Darknet marketplaces or offering it on designated QQ and Telegram groups.

gambling-site-database-leak

Sample from a Gambling Site Database Leak,
Offered for Sale on a Chinese Darknet Marketplace

Another way, which drives a whole underground sector of cybercrime in China, is by conducting DDoS attacks against competitors. These attacks take the gambling websites down and thus, hopefully, drive their customers to the gambling site that ordered the attack.

DDoS has also become a popular weapon for pornography websites and Darknet marketplaces, who launch DDoS attacks against each other. For example, China’s largest online marketplace on the Darknet, has experienced a large-scale DDoS attack during the summer, disrupting its activity for several weeks.

flashing-ads

Flashing Ads on a Chinese Hacking Forum, Offering Tailor-made DDoS Attacks,
among other Hacking Services

The DDoS Chain

The first step in a DDoS attack is to gain control of a large number of computers and other online devices and to turn them into bots, in order to divert huge traffic to the attacked website and thus shut it down. In Chinese hacking slang, these computers are named “broilers” or “meat chickens” (肉鸡). Members of Chinese underground hacking forums constantly offer tools for detecting these “broilers”, namely scanners that trace vulnerabilities in computers and servers. These tools allow the attacker to penetrate these vulnerable devices, implant trojans in them and hence control them remotely. The tools are referred to in Chinese as “Chicken Catchers” (抓鸡) and hackers who operate on those forums trade them between themselves.

broiler-detection

‘Broiler’ Detection Tool Offered on a Chinese Hacking Forum

In addition to buying tools to detect “broilers”, DDoS attackers can also buy these “broilers” directly, as these are sold in bulks on forums and designated QQ/Telegram groups. Based on the number of messages in forums and chat groups, of people requesting to buy “broilers”, it is quite clear they are in high demand.

The customers of the “broiler” market are in turn becoming the suppliers of DDoS attacks and offer their tailor-made services online. Whoever orders the attack can contact the attacker via private messaging, define the target and agree on a price according to the length of the attack and the nature of the attacked website. According to a report published by the Chinese tech firm Tencent, this is what the chain of custom-made DDoS attacks looks like:

DDOS-diagram-1024x595

The Offer: DDoS as-a-Service

The screenshot below, showing an offer posted on a prominent Chinese Darknet marketplace, can shed light on the how these DDoS as-a-service transactions are conducted. It also demonstrates what kind of websites are legitimate targets and which websites are off-limits, for fear of being prosecuted by the authorities. The post reads:

ddos-as-a-service

DDoS as-a-service Offer Posted on Chinese Darknet

Translation:

ddos-as-a-service-translation

Hunting Down Cybercriminals

Chinese law enforcement authorities are well aware of this problem and are relentlessly trying to crack down these cybercriminals and their activities. In late 2018, a man in his twenties from Suining County, Jiangsu Province, was arrested by local authorities, after discovering he had implanted a malicious code, which allowed him to remotely control a local server. During his investigation, he admitted to being part of a team of at least 20 hackers from all over the country that had used “broilers” in order to conduct DDoS attacks by demand.

The team had been involved in more than a hundred DDoS attacks, harming or controlling more than 200,000 websites and earning more than 10 million yuan along the way. Members of the team were arrested across China, yet this only emphasized the magnitude and popularity of the DDoS and DDoS as-a-Service markets, and the success of taking down this cybercriminal operation was merely a drop in the ocean.

Changes in the Threat Landscape under the Global Influence of COVID-19

In this report, Verint’s Cyber Threat Intelligence Group (powered by SenseCy) presents an analysis of how the COVID-19 global outbreak changed the threat landscape and how in the case of cyber threats too, the curve has flattened and the number of COVID-19 related cyber incidents, is in decline.

Key Findings

  1. The peak of the curve was in the second half of March 2020, after which we see a decline in the number of COVID-19 related malicious activities.
  2. Malspam and phishing/spear-phishing have been the most popular attack vectors between the 1st of March and 18th of April – used in 66.6% of the campaigns analyzed.
  3. The healthcare industry is the most targeted industry when it comes to COVID-19 related attacks, with over 20% of campaigns targeting healthcare organizations.
  4. Out of the four most popular vulnerabilities exploited, one dates back to 2012 (CVE-2012-0158).

To read the full report, click here.

Hackers Continue to Exploit the COVID-19 Pandemic in Malicious Campaigns

hackercovid_1920x960-1024x512

As the Coronavirus (COVID-19) pandemic continues to spread throughout the world, a growing number of malicious campaigns were identified, attempting to exploit the constant search for information and updates on the virus, in order to spread various types of malware.

In this blog post we share our analysis of one of the major Coronavirus related malicious campaigns and provide an overview of other campaigns. In addition, for your convenience, you will find at the end of the post a list of IoCs to implement in your security systems.

The COVID-19 Interactive Map – The Malicious Version

Security researchers have identified Russian cybercriminals selling malicious versions of the highly popular interactive map of COVID-19 cases around the world, created by Johns Hopkins Coronavirus Resource Center. In fact, these versions include infostealer malware, intended on stealing information from its victims’ computers.

john-hopkins-map-1024x349

John Hopkins Coronavirus Resource Center

sales-offer-on-russian-dark-web-forum

Sales Offer of Malicious Map in Russian Dark Web Forum
Source: Verint LUMINAR

In addition, a new malicious domain was discovered, coronavirusapp[.]site, which is offering to download an Android app that tracks the spread of the virus and also includes statistical data. However, the application is actually poisoned with CovidLock, a ransomware that changes the password used to unlock the device, thus denying the victims access to their phones. The victims are required to pay a ransom fee of US$100 in Bitcoin, or else, according to the ransom note, their contacts, pictures, videos and device’s memory will all be erased.

coronavirus-app-site

The Coronavirusapp[.]site domain.
Source: Domain Tools

Attack Methods

Security researchers have also discovered a new backdoor distributed in RAR format. The file includes an executable masquerading as a Microsoft Word file with information on COVID-19, intended to install the rest of the malware on the victim’s computer. The researchers estimate that file is being distributed via phishing emails.

A new ransomware called CoronaVirus was recently identified while being distributed through a fake website of WiseCleaner, a service offering system utilities for Windows OS. Download files on this malicious site act as downloaders for both the CoronaVirus ransomware and a stealer called Kpot. Additional campaigns utilize phishing emails with malicious attachments that supposedly include information and updates on Coronavirus, but in fact download different malware to the victims’ computers, including a banking Trojan called TrickBot, a Stealer called LokiBot and a Stealer called FormBook.

State-Sponsored Threat Actors Are Also Involved

Security researchers have also identified state-sponsored threat actors exploiting the COVID-19 panic to promote their interests and carry out attack campaigns.

  • In early March 2020, researchers discovered a campaign launched by a Chinese APT group against targets in Vietnam.
  • Another Chinese APT group attacked targets in Mongolia’s government using malicious documents that supposedly contain new information on the virus.
  • An APT group originating from North Korea has sent phishing messages to South Korean officials that ostensibly included a document detailing the reaction of the country to the pandemic.
  • Russian APT Group had sent malicious files, seemingly including updates on Coronavirus, in order to distribute a backdoor malware to targets in Ukraine.

We see that cybercriminals and state-sponsored threat actors are using the panic resulting from the Coronavirus pandemic, for phishing purposes and malware distribution. As the virus continues to spread across the world, preoccupying the global agenda, it can be estimated we will witness more campaigns exploiting the crisis.

To read the detailed analysis click here

For a list of IOCs click here

Suspicious Domains Selling Tickets to the Tokyo 2020 Olympics

Tokyothumbnail_840x620

As a cloud of uncertainty still hangs over the opening of the Tokyo 2020 Olympics due to the Coronavirus pandemic, cyber criminals are still working (remotely) on finding ways to maliciously profit from the event.

Events at the center of global attention such as major sports events and tournaments are often used by attackers to trick users into phishing scams, malware campaigns and the theft of personal and payment details.

We have been monitoring potential threats to the upcoming Tokyo 2020 Olympics for our customers and we recently discovered two suspicious domains allegedly selling tickets for the Games. In both cases, further investigation led us to find additional suspicious domains allegedly selling tickets to the Euro 2020 tournament. In this blog post you can find a summary of our findings.

tickets-tokyo2020[.]com

The domain tickets-tokyo2020[.]com was created on February 11, 2020 by a private registrant at the NICENIC INTERNATIONAL GROUP domain registrar.

When accessing the domain, the user is presented with a page in Russian where the official logo of the 2020 Tokyo Olympics appears. It is also stated that this website is an “authorized Ticket Reseller” for the Olympics. However, we could not find this domain in the list of authorized resellers on the official website of the 2020 Olympics. The user can change the language of the website to English and the website contains search fields, where the user can search for a specific event in the Olympics, for which they are looking to purchase tickets. At the time of publishing this post, the search option does not appear to function, thus, it is possible the website is still under development. There is also a “cart” banner where the user is supposed to be able to view the selected tickets and pay for them.

tickets-tokyo-1-1024x562

tickets-tokyo2020[.]com

This domain is hosted on the 5.45.72[.]40 IP address, together with only two more domains: ticket-mafia[.]com and euro-2020-tickets[.]com. The ticket-mafia[.]com domain was created on November 2016, and until December 20, 2019, it was registered by a private registrant at the GoDaddy domain registrar. However, on December 20, 2019, its registry was updated by a private registrant and was registered at the same domain registrar as the tickets-tokyo2020[.]com domain, NICENIC INTERNATIONAL GROUP.

The ticket-mafia[.]com domain displays a login page in Russian. It is worth mentioning that when inserting HTTPS:// before the tickets-tokyo2020[.]com domain, we were presented with the same login page of ticket-mafia[.]com. There is no option to sign up and therefore we believe it is designed for a user with preset login credentials, presumably the admin of the websites. We estimate the login page leads to a backend dashboard of some kind, although it remains unknown whether it is used for legitimate purposes or not.

login-window-small

Login Window

The euro-2020-tickets[.]com domain was created on January 6, 2020, by a private registrant and is also registered at the NICENIC INTERNATIONAL GROUP domain registrar. This website resembles the tickets-tokyo2020[.]com: it is also presented in Russian and uses the official UEFA Euro 2020 logo, it enables the user to switch the language to English and it allows users to search for a specific match. However, in this case, the search function does work. Upon selecting a match and a seat, the user can select the “order” function and enter his name, phone number and email address and move on to the payment, yet the “Go to the payment” button does not work, as of the time of publishing this post. Of note, the official UEFA Euro 2020 website specifically states that “Third-party ticketing websites and secondary ticketing platforms are not authorized to sell tickets for UEFA EURO 2020”. Thus, it appears this website is not an official Euro 2020 tickets reseller and is not authorized to offer tickets for the tournament for sale.

euro-tickets2020-1

euro-2020-tickets[.]com

In light of these findings, we estimate that the above domains were created by the same actor. Our investigation did not reveal any malicious activity associated with these domains. However, it appears that these are not official resellers of tickets for the two events. In addition, as the search function in the Tokyo 2020 domain and the payment function in the Euro 2020 domain do not work, it appears that these domains are still under development, and thus could materialize into a more serious threat in the future.

olympic2020tickets[.]com

The code of a malicious HTML file recently uploaded to the VirusTotal platform, contained a link to the olympic2020tickets[.]com domain. This domain does not appear in the official website of the Tokyo 2020 Olympics as an official and authorized reseller. The website offers users to buy or sell tickets to the 2020 Tokyo Olympics. The website also displays the logos of some of the Olympics’ official sponsors, such as Toyota, Panasonic, Visa, Alibaba Group, and more. The use of the logos of the sponsors can increase the credibility of the website in the eyes of visitors, and trick them into thinking the website is a legitimate and official ticket reseller for the Games.

olympic2020tickets-1

olympic2020tickets[.]com

Using an HTML interpreter, we discovered that the above-mentioned malicious file uploaded to VirusTotal, contains the HTML code of the main page of olympic2020tickets[.]com. In addition, the olympic2020tickets[.]com domain itself is identified as malicious by three different anti-virus engines. Our technical analysis of the website’s code did not reveal any use of a malicious JavaScript. The website provides the following phone number for contact: +4402074425560. We identified two additional similar domains, eurosportstickets[.]com and ticketsmarketplace.co[.]uk, which provide the same phone number for contact, and are also dedicated to selling tickets to various sports events and games. As can be seen in the screenshots below, the three domains resemble each other in their structure and design. In addition, eurosportstickets[.]com is identified as a phishing website by two anti-virus engines.

eurosportstickets-1-1024x524

eurosportstickets[.]com

ticketsmarketplace-1

ticketsmarketplace[.]co.uk

None of the Whois details of the three domains, reveal the identity of the registrant. However, we noticed that two of the domains, olympic2020tickets[.]com and ticketsmarketplace[.]co.uk, are hosted on the same IP address, 77.72.1.20, while eurosportstickets[.]com is hosted on the approximate 77.72.1.21 IP address.

Using the graph function of VirusTotal, we managed to establish connections between the three domains and the IP addresses they are hosted on, as can be seen below. The graph also shows how this infrastructure is related to malicious activity, and how both IP addresses are used for downloading malware, such as the Tofsee backdoor, the Artemis malware or the QRat.

mapping-1024x711

Connections Between the Domains and Their Surrounding Malicious Infrastructure