Self-Proclaimed Vigilante Hacker Casts Light on Chinese Criminals’ Global Cyber Scamming Sweatshops
How do cyber scam operations work? What kinds of tools and technology do criminals use to achieve their goals? And why do telecom fraud cases seem unstoppable?
In the past three years, cyber scam operations run by Chinese criminal groups have proliferated rapidly in China’s neighboring countries in Southeast Asia. These criminal groups have targeted not only Chinese-speaking victims in China and overseas but also English-speaking victims worldwide. In particular, organized Chinese criminal groups operating on the Thai-Myanmar border have become a global security menace, “threatening internet users worldwide with online scams and financial fraud, using trafficked ‘cyber slaves’ to carry out their crimes,” according to a June 2023 report by the United States Institute of Peace. A recent United Nations report pointed out criminal collectives have coerced hundreds of thousands of individuals in Southeast Asia into participating in unlawful online scams. These fraudulent activities include false romantic ploys, bogus investment pitches and illegal gambling schemes.
The Chinese government has worked with counterparts in Thailand, Myanmar and Laos to crack down on cyber scam operations and telecom frauds, along with human trafficking and other crimes in the region, according to an August report in Chinese state media Xinhua News and People’s Daily. In one case, 24 telecom fraud suspects have been brought back from Myanmar to China. (hxxp://en.people[.]cn/n3/2023/0828/c90000-20064171.html)
How do these cyber scam operations work? What kinds of tools and technology do criminals use to achieve their goals? And why do telecom fraud cases seem unstoppable? Wang Zhi’an, an exiled Chinese investigative journalist currently reporting from Tokyo, Japan through YouTube and Podcast, exposed several cyber scam cases recently through interviews with a victim of telecom fraud, a former employee of a cyber scam center operating in the Philippines, and a self-proclaimed Chinese hacker who tracked down criminal syndicates that he said had stolen his grandmother’s retirement money. These interviews give a glimpse of this multibillion-dollar industry and its operations. Although the interviewees’ account of facts would require verification, Natto Thoughts sees their value as raw material or leads for further analysis by policy makers, law enforcement, and the information security industry.
Particularly, Wang’s interview with the Chinese hacker provides a perspective not only on the operations of the cyber scam industry but also on the hacker’s world in China. The hacker claimed that criminals had biked around his grandmother’s neighborhood with a fake cell tower to intercept her communications and to collect personal information that they used to scam his grandmother. To track them down, he said he had used a combination of vulnerability exploits and personal connections to identify a criminal group based in a Wa State (a.k.a Meung Vax or 佤邦 (wabang)) region of Northern Myanmar.
After cross-examining the information from these interviews through extensive research, Natto Thoughts provides some insights that are worth exploring further.
Click Farms 2.0: Swiping Tasks 刷单
One of the most popular online scams is called “swiping tasks” (刷单), sometimes translated into English as “brushing,” which accounted for a third of all online fraud activity in China, according to a May 2022 report from China’s Ministry of Public Security. The operation of swiping tasks is similar to that of click farms, which either employ low-paid workers or program phones to click on particular web pages, especially “like” buttons in social media, or to search for business names, click on sites, or download certain applications (apps) over and over again to inflate the popularity of businesses. Before 2020, operations of click farms were booming in China, a Yahoo Finance article stated. Some 90 percent of views generated by many popular shows on video sites were fake, according to a report from Chinese state media CCTV.
Operations of swiping tasks have largely supplanted click farms since the COVID-19 pandemic in 2020. Swiping tasks often lure real mobile phone users with promises of cash rebates or high return on investment to perform various tasks. One example is to boost a product’s popularity by asking victims to purchase products online, but sellers may just send an empty box without the products or not even deliver them; the sellers promise to return the product payment with an extra cash rebate after the victim writes a positive review. Another example is to ask victims to download apps that the scam operators control. In Wang Zhi’an’s interview with the Chinese hacker, the Chinese hacker said his grandmother fell victim to a fraudulent investment app. This app promised a high rate of return on investment. At the beginning, after victims invest a small amount of funds, the app showed 20 to 30 percent returns in one week and the victim could withdraw funds and earnings freely. Then, the app showed an even higher return if the victim deposited a larger amount of funds. The app also asked the victim to share the app with others to earn cash rebates. Once the victim’s account reached a certain amount – in the hacker’s grandmother’s case it was RMB110,000 (around US$15,000) – the scammers locked the victim’s account so the victim could no longer withdraw funds.
Technology as a Double-edged Sword: Tools Used in Cyber Scam Operations
The rising and globalization of China’s organized cyber scam operations has created a huge gray technology development industry chain. Criminals not only take advantage of available technological tools but also develop custom-made tools to accelerate their operations. Tools mentioned in Wang Zhi’an’s interviews include:
GoIP: GSM VoIP Gateway to enable sending group messages. Two Chinese companies, Shenzhen Hybertone Technology Limited (hxxp://www.hybertone[.]com/en/pro_detail.asp?proid=33) and DBL Tech, are the main manufacturers of GoIP, GSM gateway and SIM bank for the GSM mobile phone standard. A GoIP product from Hybertone is available through Amazon.
IMSI (International Mobile Subscriber Identify) catcher, also known as fake cell tower, 假基站, cell-site simulator, StingRay or dirtbox. These fake cell towers can interrupt and tamper with telecom signals to alter caller IDs so victims believe they are receiving calls and messages from official numbers of telecom providers.
Custom-made fraudulent apps to enable scam operations. This likely involves professional app developers creating fraudulent functions for apps according to scammers’ needs, such as the investment app mentioned in the hacker interview.
Leveraging USDT (Tether) cryptocurrency to launder money. A July report from Chinese state media CCTV stated that Chinese police arrested 21 suspects in a $54 Million USDT money laundering case and that all suspects have confessed to laundering money for cybercriminals with USDT.
Chinese Hacker Claimed to Have Exploited 0day iPhone Vulnerabilities Warned iPhones are not Safe
The self-proclaimed hacker in Wang Zhi’an’s interview disclosed that he and other hackers in China have exploited “well-known 0day vulnerabilities” in the iOS operating system of Apple iPhones. According to the hacker’s descriptions of the usages of the vulnerabilities, they are likely CVE-2022-46690 or CVE-2023-32434. Apple has released updates for both vulnerabilities according to Apple’s security notes.
In the interview, the hacker said he was able to track down one scam operator by exploiting iOS vulnerabilities to access the scammer’s iCloud account. His description matched the 0-click 0day vulnerability of the iMessage messaging service in the iOS system, dubbed “Operation Triangulation” in a report from Moscow-based security firm Kaspersky. The hacker also claimed that, as long as he and his fellow hackers knew an iPhone’s IMEI (International Mobile Equipment Identify) number – which Chinese hackers often can obtain with “help” from corrupt employees at telecom providers or internet service providers (ISPs) – they would be able to access the particular iPhone. Because of these easily exploitable iPhone vulnerabilities, the hacker claimed, “Actually, iPhones are not safe at all.”
Interestingly, Natto Team’s previous post on examining Qi An Xin (QAX)’s Mid-year Global APT report noted that QAX had found that threat actors exploited the 0-click 0day vulnerabilities to target a large number of victims within China. The hacker whom Wang Zhi’an interviewed provides an example of this phenomenon of Chinese hackers using that vulnerability to target fellow Chinese citizens.
Cyber Scamming is a Serious Business as well as an Industry in China
From what interviewees have described in Wang Zhi’an’s podcasts, cyber scam operations in China have shown trends of industrialization, professionalization and cross-border activities.
Industrialization: cyber scam operations have been built around a whole gray industrial chain with various supporting markets or chains. For example, an underground information market collects and sells personal identifiable data (PIIs) and business data; a gray technology-development industry chain develops custom-made tools for scammers and human smuggling channels supply labors for overseas cyber scam mills.
Professionalization: to support their operations, criminals hire professionals to get jobs done. As described previously, criminals hired software developers to create apps with fraudulent functions. Criminals also hire psychologists and professional writers to develop telecom fraud scheme “scripts” with suggested responses to anything the victim might say, then app developers convert those scripts into an easy-to-use app format for fraudsters hired by criminals. Lastly, criminals take advantage of corrupt insiders in the telecom industry, government agencies and other businesses to provide information they need for their operations.
Cross-border activities: Since 2020 Chinese criminals have dramatically increased cyber scam operations based overseas, particularly in Southeast Asia. Chinese criminal operators use laborers in countries such as the Philippines and Malaysia who have English-language capability to expand scam activities targeting the English-speaking world.
Cyber Scams are Everywhere, How to Avoid Them
You may think you would not likely be a victim of a scam operated by a Chinese criminal group in Myanmar. Unless you avoid mobile phones and Internet, cyber scammers can go after anybody. How to avoid a scam? US Federal Trade Commission provides consumers with a list of signs that a phone call or text is a scam and advice on how to avoid it. An article from Aura gives real examples to tell whether someone is scamming you online. Most importantly, use common sense and be aware. If it seems too good to be true, you should give it a second thought.