Chinese tech company employees and government workers are siphoning off user data and selling it online – and even high-ranking Chinese Communist Party officials and FBI-wanted hackers’ sensitive information is being peddled by the Middle Kingdom’s thriving illegal data ecosystem.
“While Western cybercrime research focuses heavily on criminals in the English- and Russian-speaking worlds, there is also a large community of Chinese-speaking cybercriminals who engage in scammy, low-level, financially motivated cybercrime,” SpyCloud senior security researcher Kyla Cardona said during a talk at last month’s Cyberwarcon in Arlington, Virginia.
It’s no secret that President Xi Jinping’s government uses technology companies to help maintain the nation’s massive surveillance apparatus.
But in addition to forcing businesses operating in China to stockpile and hand over info about their users for censorship and state-snooping purposes, a black market for individuals’ sensitive data is also booming. Corporate and government insiders have access to this harvested private info, and the financial incentives to sell the data to fraudsters and crooks to exploit.
“It’s a double-edged sword,” Cardona told The Register during an interview alongside SpyCloud infosec researcher Aurora Johnson.
“The data is being collected by rich and powerful people that control technology companies and work in the government, but it can also be used against them in all of these scams and fraud and other low-level crimes,” Johnson added.
China’s thriving data black market
To get their hands on the personal info, Chinese data brokers often recruit shady insiders with wanted ads seeking “friends” working in government, and promise daily income of 20,000 to 70,000 yuan ($2,700 and $9,700) in exchange for harvested information. This data is then used to pull off scams, fraud, and suchlike.
Some of these data brokers also claim to have “signed formal contracts” with the big three Chinese telecom companies: China Mobile, China Unicom, and China Telecom. The brokers’ marketing materials tout they are able to legally obtain and sell details of people’s internet habits via the Chinese telcos’ deep packet inspection systems, which monitor as well as manage and store network traffic. (The West has also seen this kind of thing.)
Crucially, this level of surveillance by the telcos gives their employees access to users’ browsing data and other info, which workers can then swipe and then resell themselves through various brokers, Cardona and Johnson said.
Scammers and other criminals are buying copies of this personal information, illicitly obtained or otherwise, for their swindles, but it’s also being purchased by legitimate businesses for sales leads — to sell people car insurance when theirs is about to expire, for example.
Information acquired through DPI also seems to be a major source of the stolen personal details that goes into the so-called “social engineering databases,” or SGKs (short for shegong ku), according to the researchers.
In addition to amassing information collected from DPI, these databases contain personal details provided by underhand software development kits (SDKs) buried in apps and other programs, which basically spy on users in real time, as well as records stolen during IT security breaches.
SGK records include personal profiles (names, genders, addresses, dates of birth, phone numbers, email and social media account details, zodiac signs), bank account and other financial information, health records, property and vehicle information, facial recognition scans and photos, criminal case details, and more. Some of the SGK platforms allow users to do reverse lookups on potential targets, allowing someone to be ultimately identified from their otherwise non-identifying details.
[…]
One SGK that has since been taken down had more than 3 million users. As of now, one of the biggest stolen-info databases has 317,000 subscribers, we’re told, while most of the search services each see about 90,000 users per month.
[…]
One also displayed a ton of sensitive details belonging to a high-ranking CCP member.
A free SGK search query about this individual pulled up the person’s name, physical address, mobile number, national ID number, birth date, gender, and issuing authority, which the researcher surmised is the issuing authority for the ID card.
An additional query produced even more: The person’s WeChat ID, vehicle information, hobbies and industry information, marital status, and monthly salary, and his phone’s International Mobile Equipment Identity (IMEI) number with a link to click for more information about the device.
The researchers found similar info about a People’s Liberation Army member using SGKs, plus details about suspected nation-state-backed criminals wanted by the FBI.
[…]
“There is a huge ecosystem of Chinese breached and leaked data, and I don’t know that a lot of Western cybersecurity researchers are looking at this,” Johnson continued. “It poses privacy risks to all Chinese people across all groups. And then it also gives us Western cybersecurity researchers a really interesting source to track some of these actors that have been targeting critical infrastructure.” ®
Source: How Chinese insiders exploit its surveillance state • The Register
Which goes to show – large centralised databases give away their data to far too many people. Bad security (like government backdoors to encryption) is bad for everyone – anyone with the key can (and will) get in (like the US is finding out: In massive U-turn, FBI Warns Americans to Start Using Encrypted Messaging Apps, after discovering the problem with backdoors)
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft