China’s Cybercriminals Profit From Underground Data Monetization

Cybercriminals are using big data technology to make money from data obtained on the Chinese-language underground. Quelle surprise.

An analysis of open source information and data drawn from a variety of closed forums showed a cycle that included multiple layers of cybercriminals, the use of insider information and unwitting victims, according to researchers at Intel 471. That sounds a lot like the elements of a typical financial scheme – but with a big twist. Or at least a boost from China’s quest to be at the center of big data analytics, “especially as it pushes to become synonymous with new technology sectors like the Internet of Things (IoT),” the researchers wrote in a blog post.

China is making big data a centerpiece of all economic sectors, which creates a lot of data noise where criminals can find cover for their schemes. As the researchers pointed out, as the big data market has swelled – by China Industrial Control Systems Cyber Emergency Response Team’s estimates, to about $156 billion – China has struggled to manage, regulate and create governance around data. The explosive growth, the researchers noted, “has not been paired with oversight.”

Among the regulatory challenges China faces is the blurred lines between private and public personal information coupled with security risks around collecting, storing and sharing it, much of which is left to the discretion of the companies collecting and handling it.

The Underground Information Market

The underground data monetization chain the researchers observed is set up much like any other business process, with a “clear division of labor, responsibilities and a delineated chain of command.” It includes a boss, or requester, who needs the data for a nefarious activity; insiders who, under orders from the boss, access raw data and extract information from a service provider for a profit. Middlemen stand between the boss and cybercriminal buyers, and get a cut of the action, while escrow and underground platforms provide a way for the middlemen to advertise their wares. Scammers, threat actors and direct marketers are the end users in this chain – they’re the ones who buy the data or engage with syndicates directly via the platforms.

“It comes as no surprise to read that cybercriminals are employing the same principles as some of the large social media companies,” said New Net Technologies Global Vice President Dirk Schrader, calling it “the back side of the big data coin.”

The schemes observed by Intel 471 make their money on a number of forums from those catering to gambling and lotteries to those seeking users records; in one case, from a parenting application. “We have also observed a number of Telegram channels that are dedicated to making money off stolen information related to big data programs,” the researchers noted.

Chinese law enforcement has tried to step in and hold companies accountable for the way they handle data. In 2019, for instance, authorities nabbed the general manager, deputy general manager and marketers of Tianyi Credit after several companies “were observed providing third-party data crawling services and selling the data collected from unknown victims to reap a profit in addition to being exploited by underground threat actors,” Intel 471’s researchers said.

More recently, authorities have tightened regulations around personal data and privacy, including privacy and security strictures from the Cyberspace Administration of China.

Data Breaches Offer a Cautionary Tale

The Intel 471 findings are a cautionary tale for those that continue to dismiss the relevance of vaults from previous social media site breaches being hawked online.

“The more the bad actor know about a target, the better becomes their craft,” said Schrader, making it “even harder for a regular user to recognize a phishing email, or for the employee in corporate finance to identify a [business email compromise] BEC attempt.”

The findings also signal, the researchers said, the need to protect data with the same urgency that companies secure their essential services. That’s not as easy as it sounds. For many organizations, sprawling cloud infrastructure prevents them from having visibility into who’s accessing sensitive information, according to Hank Schless, senior manager, security solutions, at Lookout. “Understanding data access is even more difficult when the biggest threat comes from people on the inside who are less likely to trip any alarms when accessing sensitive company data,” he said, suggesting that a zero-trust model can help.

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson