The amount of cybercrime in China has grown annually by 20-30% in the last decade, reaching more than USD 14 billion in turnover in 2018,1 when it was estimated that the size of the cybercrime industry globally in the same year was around USD 45 billion.2 Among the various types of cybercrimes, data theft and identity fraud committed using stolen data are some of the most common types of cyber risks that e-commerce companies should detect and mitigate. These fraudulent activities committed by criminals on the dark web not only significantly compromise the integrity of online business operation, they can also potentially endanger safety of their customers, and ultimately, harm business reputation.
Stolen Data for Sale
Stolen personal data, such as Personally Identifiable Information (“PII”) that is used for identifying customers, as well as account credentials used for authenticating access, are often found to be sold on cybercrime forums on the dark web. For instance, in February 2020, PII for 538 million users of Weibo, a popular micro-blogging platform in China, was for sale on a prominent Chinese-language cybercrime forum.3 While this caught the attention of reporters in both Chinese and foreign media sources, it was by no means a unique security incident. Data dump consisting of PII stolen by hackers or company insiders from corporate and government databases are being advertised every day in underground marketplaces and hacker forums on the deep/dark web.
As of July 2020, Aon’s Cyber Solutions identified ads posted in underground forums and communities that offered a range of sensitive user data, including shopping and logistics delivery data purportedly obtained from major e-commerce sites in China, including Tmall and Taobao of Alibaba Group, as well as other global e-commerce sites such as Amazon. Some actors even claimed their data was obtained through insiders. Although it has been uncommon for Chinese regulators to impose punishment on companies suffering data breaches,4 such incidents can harm company reputation and may invite additional regulatory scrutiny.5
Fraudulent Platform Activities
Stolen PII was commonly used by illegal operators to create dummy accounts to provide fake online traffic and reviews on shopping or e-commerce sites. The prevalence of such practice in China was noted in a 2019 article by the state-run Xinhua agency,6 which estimated that China has nine million online fraud criminal operators, making six out of each 1,000 people in China engaging in the business of generating fake online traffic and/or committing identity fraud using PII that is stolen or bought from the dark web. Advertisements for these services can be found on dark web forums and messaging apps that offer encryption, which are used by illicit traders attempting to bypass censorship and law enforcement surveillance found on some PRC-based communication tools.7 8
Criminals in the digital age rely on the use of dark web and encrypted communication tools to keep their victims and law enforcement in the dark. Companies doing business online need to have a reasonably robust cyber defense strategy that matches their risk profiles. Dark web intelligence can play a meaningful role in informing companies about exposure. Keeping track of malicious dark web chatter targeting a company requires cyber investigators who are equipped with knowledge of how to gain insights on who is being targeted and what are the assets at stake. From an incident response standpoint, it is also crucial for companies handling data breaches to consider engaging resources that can monitor underground data monetization attempts to assist with the investigation.
Data volatility in underground marketplaces requires investigation to be carried out using not only live, but also archived-dark web resources from an evidence preservation perspective. Take the example of the most well-known Chinese dark web marketplace DeepMix:9 although the original site was taken down in late 2019 after suffering from a series of DDoS attacks, historical data listings can still be accessed in proprietary dark web archive.
Businesses looking to take advantage of China’s e-commerce opportunities should be vigilant to the potential cyber and supply chain risks in their China operations. Aon’s Cyber Solutions has supported clients with complex cyber investigations by providing deep investigation knowledge expertise, intelligence collection capabilities, as well as native language and cultural understanding that can help companies assess and mitigate their exposure to various types of cyber and insider risks.
Author: Tony Yu
1. Wang, Qi; Zhang, Yating, “《2018网络黑灰产治理研究报告》发布：黑灰产已达千亿规模” Tencent QQ, August 21, 2018, https://new.qq.com/omn/20180821/20180821A0AM9Z.html. Accessed on April 29, 2020.
2. “Cybercrime a $45 billion industry: Report” CISO Mag, July 24, 2019, https://www.cisomag.com/cybercrime-a-45-billion-industry-report. Accessed on June 5, 2020.
3. Cimpanu, Catalin. “Hacker selling data of 538 million Weibo users” ZDNet, March 23, 2020, https://www.zdnet.com/article/hacker-selling-data-of-538-millionweibo-users. Accessed on April 29, 2020.
4. “中國連鎖酒店集團疑似數據洩漏：1.3億用戶個人信息恐成黑色產業「金礦」” BBC, August 31, 2018, https://www.bbc.com/zhongwen/trad/chinesenews-45328992. Accessed on April 29, 2020.
5. This and similar instances of data breaches in China have resulted in the affected companies being summoned by regulators to discuss means to strengthen security: “工信部网络安全管理局就新浪微博App数据泄露问题开展问询约谈” STCN, March 24, 2020, http://news.stcn.com/2020/0324/15756156.shtml. Accessed on June 5, 2020.
6. Tang, Lan: “网络黑产无孔不入：暗网助长犯罪 沟通隐蔽难以追查” Xinhuanet.com, August 17,2019, http://www.xinhuanet.com/fortune/2019-08/17/c_1124886819.htm. Accessed on April 29, 2020.
7. Rubinstein, Ori: “Chinese Threat Actor’ Dark Web Activities on Telegram” Sixgill, September 17, 2019, https://blog.cybersixgill.com/chinese-threat-actorsdark-web-activities-on-telegram. Accessed on June 5, 2020.
8. Rubinstein, Ori: “China’s Unique Platforms for Cyber Threat Actors: Wechat and QQ” Sixgill, July 16, 2019, https://blog.cybersixgill.com/chinas-unique-platformsfor-cyber-threat-actors-wechat-and-qq. Accessed on June 5, 2020.