QQ, a Chinese chat service with hundreds of millions of active monthly users, contains numerous groups discussing hacking and fraud tools and techniques. These groups use a unique language to discuss illicit activities, including a mix of Chinese and English characters, emoticons and memes. Assessing data from hundreds of such groups, this case study aims to discuss insights about the tools and techniques being shared. An examination of file names, the content of some files, and the nature of discussions around sharing of the files sheds light on discussions around illicit online activity, identifying rules of engagement and cultural norms for this unique and relatively closed community of online actors. Despite its widespread usage within China and its exposure to China's well-documented surveillance apparatus, QQ is still rife with discussions themed around illicit hacking behavior as QQ group members share a large number of fraud tools and techniques. This may suggest some degree of permissiveness or "turning a blind eye" on the part of Chinese authorities—who undoubtedly have an aperture into these group’s chat histories. At the same time, creative jargon and subtle communication about fraud schemes likely makes detection challenging as hacking services, malicious file sharing, and cybercrime remain rampant.

1. Illicit QQ Communities: What’s Being Shared?
Aaron Shraberg, Senior Analyst II
1

2. ● Started studying Mandarin in high school as part of a pilot
program
● 4.5 years in-country experience
● Asian Studies at GW
● 10+ Years of research and analysis of security issues with an
emphasis on China for public and private sectors
2
About Me

3. ● What is QQ?
● Frequently found fraud types
● A unique language
● Detection Avoidance versus “Turning a Blind Eye”
● The future of threat detection
3
AGENDA

4. 4
What is QQ?
hxxps://www[.]chinainternetwatch[.]com/30383/tencent-q4-2019/
hxxps://www[.]imqq[.]com/English1033[.]html
● Initial release 1999
● About 800 million
MAU
● Allows creation of
groups with size
limitations
● Used mostly to
converse about
innocuous topics
● Super App
● Registration Reqs

5. 5
Where does QQ stand?
hxxps://datareportal[.]com/reports/digital-2019-internet-trends-in-q3
1.114 billion
823 million

6. 6
What is an “illicit community”?
hxxps://go[.]flashpoint-intel[.]com/docs/navigating-illicit-online-communities/
● A 2020 Flashpoint report defined these
as communities that support fraud,
cybercrime for financial gain, money
laundering and other illegal activities.
● Some groups also discuss fraud and
hacking tools and techniques.

7. 7
What is an “illicit community”?

8. 8
What’s being shared?
hxxps://110[.]qq[.]com/article_detail[.]html?id=1F4EBB0600EFE1FE679B
Business fraud
Top Fraud Types: January - August, 2020
Income schemes
Friend schemes

9. ● Credit card fraud
● Retail and online fraud / E-commerce fraud
○ Account sales
○ Database sales
● Phishing
○ Emails
○ Source Code
● DDoS
● Ransomware
● Tools and Files
○ Webshells
○ RATs
○ Scanners
○ Brute forcing tools
○ And much much more...
9
What’s being shared?

10. 10
Credit Card Fraud
● Internationalized
● Highly commercial
○ Supporting
cryptocurrency
payments
● Nexus with other chat
tools that are used
abroad
Threat actor active on at
least 4 other TG channels

11. 11
Credit Card Fraud
● Pivoting to Telegram groups for
continuing transactions and
wider market
● Discussions around EMV fraud

12. 12
Retail and online fraud / E-commerce fraud

13. 13
Retail and online fraud / E-commerce fraud
● Online store account sales
○ Types of offerings expanding
● Proxy account openings and payment services
● Account or merchant IDs
○ Furnished with proof of identity
documentation
● Amazon storefronts selling from 600 to 6,800
RMB, depending on whether or not they are
"second hand," "firsthand," and country.
Prolific Account Seller
E-commerce Accounts Sales Ad

14. 14
Account Sales (Case Study) Account Sales Advertisement

15. 15
Account Sales
Sample Price List

16. 16
Database Sales
Sample Advertisement

17. 17
Phishing
Sample Advertisement10,000 Emails for 100RMB (~1569 Yen or ~15USD)

18. 18
Phishing
Phishing Code File Name File Type
King Glory Phishing Source Code .zip
DNF Phishing Source Code .rar
Bot Phishing Source Code .rar
Hero League Phishing Source Code .zip
Hacker Phishing Source Code .zip
QQ Space Phishing Code .zip
● Alleged source code shared
● Proof of Concept?
Shared Phishing Source Code Files
Phishing Source Code

19. 19
DDoS
Taking DDoS and CC Attack Orders
Meme advertising DDoS/CC Attacks
● A large number of booters/stressors
○ Ambiguity around testing
versus offensive use of DDoS
● DDoS-as-a-Service
○ Some actors advertise DDoS
protection services
● Use of slang and ads may help avoid
detection
● Most appear aimed at disrupting
gambling, payment, and
pornography sites

20. 20
DDoS (Case Study)

21. 21
Ransomware
Ransomware-themed Group

22. 22
Tools and Files
● Webshells
● RATs
● Scanners
● Brute forcing tools
● And much more
Sample Files Shared List
China Chopper
"Intrusion Tool"
"Security Scanner"
"Grey Pigeon" RAT

23. 23
TTPs
●
● Phone
● VPN
● Translation Tool

24. 24
Illicit QQ Communities
● Online fraud focus has been on
vaguely defined areas of business
fraud, friendship/romance scams
and sexually explicit content
● Regulatory and law enforcement
arms focused on restricting access
outside Great Fire Wall and
sensitive content control
● These may be areas that matter
more to everyday people than
more sophisticated fraud
● Fraud from QQ space to outside
likely shielded by slang and use of
other tools like Telegram that are
blocked in China and not easily
detectable by monitors

25. Thank You
flashpoint-intel.com
ashraberg@flashpoint-intel.com