zhapian_1200.jpg
Photo Credit:
TECHNOLOGY

Gone Phishing

Armed with stolen data and social psychology, a new breed of sophisticated swindlers is targeting unwary WeChat users

When 50-year-old Jiang Huimin received a message from a unknown number in November, she sensed there was something off about it. Reading “I broke the screen on my phone, borrowing a friend’s to tell you,” it was signed with the name of Jiang’s 18-year-old daughter.

“Let mom buy you a new phone, son,” she deliberately replied. When the sender didn’t react to the mistaken gender—before they even got around to requesting money for an “expensive computer course”—she knew: “That was a swindler.”

According to the Tencent United Security Laboratory, run by the company behind some of China’s biggest social networking platforms, an average 50,000 cases of financial fraud takes place over the phone and internet in China each day. Phone and text message scams, such as the one that targeted Jiang, appeared almost as soon as personal mobile devices became widespread, with the earliest spate reported in Fujian province between 2002 and 2004.

Citing police, Tencent’s researchers say most of this fraud now takes place over online platform. With personal information less secure than ever, tactics have evolved. In the past, a scammer might have purchased a dossier of mobile numbers to spam with phishing links, hoping for a bite from one in ten thousand; now, criminals have access to a trove of data, including names, location, photos, purchases, likes and dislikes, and friendship circles—information stored online by dozens of organizations, or voluntarily broadcast on social media.

QR codes make it easy for criminals to disguise phishing links

All this can go toward creating a believable online identity, with which even the savviest online user can be manipulated with enough time and effort—and even this is rarely necessary. “I’m always careful, but there was still a gut reaction just to seeing my daughter’s real name in the message,” Jiang tells TWOC. A previous scammer pretending to be her boss, despite using her personal name, had slipped up—Jiang owns her own business—putting her on the alert, but 25-year-old Liu Siyao was not as lucky.

In December, she received a private message on microblogging site Weibo, purporting to be from an ex-classmate, “Dai,” whom she knew was studying abroad and due back for the holidays. “Dai” wrote that she had trouble with her plane ticket, and asked Liu to call a number for her in China. When Liu complied, reaching what appeared to be the airline, she was told that her friend needed a new ticket. Liu couldn’t afford to help, but later a relative of the real Dai told her that others in their network had gotten the same message. “Before that, I never suspected anything,” she tells TWOC. “That surprised me, because I never thought of myself as someone who was easy to fool.”

But then, the impersonation was expertly done. Besides knowing Dai’s location, the scammers had made a clone of her Weibo account with an identical profile picture, an account name with just one period added, and had even looked up and “followed” Dai and Liu’s mutual friends. They also didn’t ask for money; that is, not right away.

***

Social engineering, the manipulation of people to divulge confidential information, gained global notoriety in 2014 with the publication of Kevin Mitnick’s The Art of Deception. Written by an ex-hacker turned cybersecurity expert, the book called humans “the weakest link” in the security of an organization, and portrayed social engineering as a long con, with the payoff coming many steps after gaining the victim’s trust. These conclusions then sparked panic after the 2016 US elections, when it was alleged that Democratic Party members may have been tricked into handing over information that swayed the results.

Conning via social engineering is longer and more labor-intensive than phishing via mass emails or text message, or the classic swindle that asks for help with an emergency. The payoff, though, may be worth the effort. In November, Chinese fraudsters made off with 18.6 million USD from the Indian subsidiary of Italian conglomerate Tecnimont SpA, wired over voluntarily by Mumbai managers convinced they were following orders from Milan.

Korean police confiscate mobile phones from a Taiwanese phishing gang targeting mainland Chinese

The case, one of the biggest cyber frauds in Indian history, drew comparisons to 2001 blockbuster Ocean’s Eleven in the meticulous way the fraudsters studied their mark. The final pay-off, too, relied on psychological rather than technological hijinks. Investigators believe that once the fraudsters gained access to the company’s emails—possible through something as easy as sending an employee a phishing link, directing them to reset their password—they simply studied the Milan executives’ communication style, and faithfully copied it over weeks of faked emails, legal documents, and even conference calls.

The engineering of ordinary Chinese rarely involves such high stakes, though it can be just as thorough—and not very difficult. “I always assume all my information has already been leaked,” Jiang says, noting that anyone could have found out her daughter’s name, status as a student, and their relationship from one of the many online test-prep course registrations for they’d filled out in the past.

As stated in an article accompanying a 2015 report of the Internet Society of China (ISC), an NGO with ties to the state Ministry of Information Industry, “The prerequisite to swindle is the loss of personal information.” According to the report, researchers found that 78.2 percent of internet users’ personal information, including name, ID number, address, and workplace, may be already compromised; 63.4 percent have also had records of their calls and online purchases leaked.

Major leaks have been reported from China’s biggest dining and travel apps, Dianping and Ctrip, as well as web portals Sohu and Sogou. The official website of China Rail, 12306, is also suspected of suffering several breaches, some of which are denied by the authorities. According to the ISC, other at-risk organizations include portals such as NetEase and Tencent, which host over a billion email addresses combined in China; the health and social security systems of 30 provinces; and every Chinese courier company, which have stored millions of names, phone numbers, and addresses (and, as of November 2018, national ID numbers) on mobile user apps and paper receipts.

Since 2009, the sale of such personal information has been criminalized, but the law is hard to enforce. Thefts are usually only discovered if the information is used in additional wrongdoings, such as phishing or fraud, which have prosecution rates lower than 1 percent, as reported by one Guangzhou intermediate court in 2011: The cross-border nature of data crimes makes investigation harder, and targets seldom come forward. A 2016 survey by the Henan government found that only 50 percent of victims filed reports.

Bank cards used by QQ fraudsters are collected after a police raid

The law can also do nothing for personal details that internet users voluntarily “leak” via social media. “[The swindlers] were probably able to pretend to be my classmate because she would include her location in her Weibo posts,” Liu believes, and added that a few weeks later, she was contacted by yet another scammer, posing a friend who was then traveling in Taiwan. “My friend had mentioned she was going there in a Weibo update.”

China’s biggest social media platform, WeChat, is becoming the next hotspot for cybercrime. As of this January, the company has purged 6,000 user accounts and 2,000 group chats suspected of phishing or fraud. Many were simply cyber updates to old tricks, hacking or cloning an account to request “money for surgery” or “travel emergency” from the user’s network. Others, though, were using features of WeChat itself to create what Tim Hwang, a California-based cognitive security expert, calls “a trade-off between scope and depth.”

Hwang, whose work mostly deals with the manipulation of online interaction by bots, believes that the same principles can be applied to the infiltration of malicious human actors into social networks. By targeting a particular person, “you can run a lot less accounts, but one that’s extremely believable—you don’t actually need anything very sophisticated to fool humans.”

***

Ashamed at being duped, victims often refuse to discuss the situation. Several contacted by TWOC felt that the experience (and lack of support from Tencent and the authorities) was too traumatic to relive, meaning I had to look into my own experience to understand how exactly cons are worked. It’s not difficult—given that my WeChat account is publicly discoverable, I get many requests from strangers. The most recent identified was a man named “Steven,” a woman named “Zitong,” and another with the handle “The Moonlight is Romantic.”

“Moonlight,” who had a rather busty profile photo taken on a beach, included the message “Hatty, my number has changed, please add my new number.” This pretend familiarity prompted a reaction—how could I have forgotten this person?—and a note from WeChat’s system seemed to add to her credibility, suggesting I was in Moonlight’s phone address book already. This, police have warned, is one of the oldest tricks in the book: Moonlight could have simply bought my number and saved it to her phone.

A booth explains how cybercriminals operate at an internet safety exhibition in Beijing

Steven was the only one with a WeChat Moments feed. He posts once a day, always two photos per update—tea with friends, attending a string quartet, visiting a park—but none with any faces visible. Albums of generic photos and video are sold on Taobao for as little as 8.8 RMB each for semi-legitimate purposes; according to one seller, their target customers are “social media influencers who want to drive up views.” (If Steven does turn out to be a forgotten friend with odd posting habits, I apologize.)

Recently, another contact I don’t remember sent me a QR code that promised to reveal which of my followers was a bot. Those who’ve opened it report that it’s essentially a phishing link: The code redirects to the account of a “bot-checker” who, once added, will ask for approval to log-in to your account on a WeChat desktop app to “run tests.” Since a person’s WeChat account is often linked these days to their QQ Messenger, taxi-hailing, food-ordering, financial planning and a host of other service accounts, once login information is compromised, the problems add up.

An epidemic of scams reported in late 2018 took advantage of the ubiquity of delivery services, as scammers contacted WeChat victims by claiming to be “couriers” offering compensation for lost packages; a QR code directs users to a mock login page for payment platform Alipay, requesting a PIN. Because WeChat’s browser doesn’t display URLs, phishing sites are harder to detect (and can be hidden further in other WeChat features like QR codes, “red envelope” cash transfers, group-buying invitations, and mini apps).

The con also takes advantage of a cultural convention that refers to people in service professions—and even individuals like “landlord,” “teacher,” or “uncle”—by vocation or title only. As the Guangzhou police recently cautioned in a blog post, many would not think twice about an anonymous “courier” requesting to add them on WeChat, especially if they were expecting a package—and, with an estimated 100 million packages couriered around China daily, there’s a good chance they are.

Platforms like WeChat and Weibo trick users into thinking they do know another person, even though, as Hwang points out, “the nature of social interaction online is very limited…the few characters you write are all I’m going to get.” In a 2018 interview with People’s Daily, Zhu Wei, a communications law expert at China University of Politics and Law, said that fraud on WeChat was enabled by “acquaintance psychology”—the mental insistence that we know or ought to know a person in our network, even if we have no evidence to support this.

I’m not proud to say that this happened to me, several years ago. When I still had my WeChat location set to “Canada,” I added a woman who messaged, asking “Did you go back to China? We miss you!” After a few pleasantries—in which she tried to find out when I was returning, and I felt loath to admit that I couldn’t remember her—I took the cowardly way out and stopped responding.

A few months later, she sent me a link for “purging bot followers on WeChat.”

***

In January, at the 13th People’s Congress of Guangdong Province, there was a radical proposal: Public organizations should reduce the amount of information they collect, ask themselves whether knowing someone’s education level or marital status is really relevant to their work, and stop sharing the information without consent.

Unfortunately, the nation has been moving in just the opposite direction over the last decade. Real-name registration is now required for actions from riding trains and obtaining a SIM card to sending a parcel and commenting on an internet forum. With the roll-out of local, and, soon, national social credit systems, the trend is toward more collection and more centralization of data, rather than less.

Hwang fears that some security requirements actually make online information less secure. “I tend to really disagree with a system where, for example, WeChat says, we have their passport and that’s why we know who you’re talking to, because it’s very easy for people to find ways around those systems.”

He believes that a better way to verify a person’s identity online is to look at their account’s history, login records, and activity. The method is far from foolproof, though—as in the case of Liu and “Dai,” it could instead inspire new avenues for manipulation in the hands of a clever criminal. “I think it’s wrong to think about this as a problem that gets solved at some point,” says Hwang. “It will be more like a cat or mouse game, where you come up with a smarter way of defending against these attacks, and people get smarter about getting around them.”

“At some point you make it that it’s no longer profitable,” he speculates, “and that’ll knock out some of the people who are engaging in this, but then the process will start again.”

As if to underline Hwang’s point, police in Hainan and Hebei provinces reported a new spate of WeChat phishing during the writing of this story. Masquerading as “Tencent payment security advisors,” cybercriminals convinced users to upload their ID cards and bank information to a phishing site. The excuse? “Updating WeChat’s real-name registration.”


Gone Phishing is a story from our issue, “China Chic.” To read the entire issue, become a subscriber and receive the full magazine.

Related Articles