Gonephishing

BY Hatty Liu

Armed with stolen data and social psychology， a new breed of sophisticated swindlers is targeting unwary WeChat users

信息泄露和“熟人心理”給了社交媒體詐騙

可乘之機，用戶只能更加謹慎

When 50-year-old Jiang Huimin received a message from a unknown number in November， she sensed there was something off about it. Reading “I broke the screen on my phone， borrowing a friends to tell you，” it was signed with the name of Jiangs 18-year-old daughter.

“Let mom buy you a new phone， son，” she deliberately replied. When the sender didnt react to the mistaken gender—before they even got around to requesting money for an “expensive computer course”—she knew： “That was a swindler.”

According to the Tencent United Security Laboratory， run by the company behind some of Chinas biggest social networking platforms， an average 50，000 cases of financial fraud takes place over the phone and internet in China each day. Phone and text message scams， such as the one that targeted Jiang， appeared almost as soon as personal mobile devices became widespread， with the earliest spate reported in Fujian province between 2002 and 2004.

Citing police， Tencents researchers say most of this fraud now takes place over online platform. With personal information less secure than ever， tactics have evolved. In the past， a scammer might have purchased a dossier of mobile numbers to spam with phishing links， hoping for a bite from one in ten thousand; now， criminals have access to a trove of data， including names， location， photos， purchases， likes and dislikes， and friendship circles—information stored online by dozens of organizations， or voluntarily broadcast on social media.

All this can go toward creating a believable online identity， with which even the savviest online user can be manipulated with enough time and effort—and even this is rarely necessary. “Im always careful， but there was still a gut reaction just to seeing my daughters real name in the message，” Jiang tells TWOC. A previous scammer pretending to be her boss， despite using her personal name， had slipped up—Jiang owns her own business—putting her on the alert， but 25-year-old Liu Siyao was not as lucky.

In December， she received a private message on microblogging site Weibo， purporting to be from an ex-classmate， “Dai，” whom she knew was studying abroad and due back for the holidays. “Dai” wrote that she had trouble with her plane ticket， and asked Liu to call a number for her in China. When Liu complied， reaching what appeared to be the airline， she was told that her friend needed a new ticket. Liu couldnt afford to help， but later a relative of the real Dai told her that others in their network had gotten the same message. “Before that， I never suspected anything，” she tells TWOC. “That surprised me， because I never thought of myself as someone who was easy to fool.”

But then， the impersonation was expertly done. Besides knowing Dais location， the scammers had made a clone of her Weibo account with an identical profile picture， an account name with just one period added， and had even looked up and “followed” Dai and Lius mutual friends. They also didnt ask for money; that is， not right away.

Social engineering， the manipulation of people to divulge confidential information， gained global notoriety in 2014 with the publication of Kevin MitnicksThe Art of Deception. Written by an ex-hacker turned cybersecurity expert， the book called humans “the weakest link” in the security of an organization， and portrayed social engineering as a long con， with the payoff coming many steps after gaining the victims trust. These conclusions then sparked panic after the 2016 US elections， when it was alleged that Democratic Party members may have been tricked into handing over information that swayed the results.

Conning via social engineering is longer and more labor-intensive than phishing via mass emails or text message， or the classic swindle that asks for help with an emergency. The payoff， though， may be worth the effort. In November， Chinese fraudsters made off with 18.6 million USD from the Indian subsidiary of Italian conglomerate Tecnimont SpA， wired over voluntarily by Mumbai managers convinced they were following orders from Milan.

The case， one of the biggest cyber frauds in Indian history， drew comparisons to 2001 blockbusterOceans Elevenin the meticulous way the fraudsters studied their mark. The final pay-off， too， relied on psychological rather than technological hijinks. Investigators believe that once the fraudsters gained access to the companys emails—possible through something as easy as sending an employee a phishing link， directing them to reset their password—they simply studied the Milan executives communication style， and faithfully copied it over weeks of faked emails， legal documents， and even conference calls.

The engineering of ordinary Chinese rarely involves such high stakes， though it can be just as thorough—and not very difficult. “I always assume all my information has already been leaked，” Jiang says， noting that anyone could have found out her daughters name， status as a student， and their relationship from one of the many online test-prep course registrations for theyd filled out in the past.

As stated in an article accompanying a 2015 report of the Internet Society of China （ISC）， an NGO with ties to the state Ministry of Information Industry， “The prerequisite to swindle is the loss of personal information.” According to the report， researchers found that 78.2 percent of internet users personal information， including name， ID number， address， and workplace， may be already compromised; 63.4 percent have also had records of their calls and online purchases leaked.

Major leaks have been reported from Chinas biggest dining and travel apps， Dianping and Ctrip， as well as web portals Sohu and Sogou. The official website of China Rail， 12306， is also suspected of suffering several breaches， some of which are denied by the authorities. According to the ISC， other at-risk organizations include portals such as NetEase and Tencent， which host over a billion email addresses combined in China; the health and social security systems of 30 provinces; and every Chinese courier company， which have stored millions of names， phone numbers， and addresses （and， as of November 2018， national ID numbers） on mobile user apps and paper receipts.

Since 2009， the sale of such personal information has been criminalized， but the law is hard to enforce. Thefts are usually only discovered if the information is used in additional wrongdoings， such as phishing or fraud， which have prosecution rates lower than 1 percent， as reported by one Guangzhou intermediate court in 2011： The cross-border nature of data crimes makes investigation harder， and targets seldom come forward. A 2016 survey by the Henan government found that only 50 percent of victims filed reports.

The law can also do nothing for personal details that internet users voluntarily “l(fā)eak” via social media. “[The swindlers] were probably able to pretend to be my classmate because she would include her location in her Weibo posts，” Liu believes， and added that a few weeks later， she was contacted by yet another scammer， posing a friend who was then traveling in Taiwan. “My friend had mentioned she was going there in a Weibo update.”

Chinas biggest social media platform， WeChat， is becoming the next hotspot for cybercrime. As of this January， the company has purged 6，000 user accounts and 2，000 group chats suspected of phishing or fraud. Many were simply cyber updates to old tricks， hacking or cloning an account to request “money for surgery” or “travel emergency” from the users network. Others， though， were using features of WeChat itself to create what Tim Hwang， a California-based cognitive security expert， calls “a trade-off between scope and depth.”

Hwang， whose work mostly deals with the manipulation of online interaction by bots， believes that the same principles can be applied to the infiltration of malicious human actors into social networks. By targeting a particular person， “you can run a lot less accounts， but one thats extremely believable—you dont actually need anything very sophisticated to fool humans.”

Ashamed at being duped， victims often refuse to discuss the situation. Several contacted by TWOC felt that the experience （and lack of support from Tencent and the authorities） was too traumatic to relive， meaning I had to look into my own experience to understand how exactly cons are worked. Its not difficult—given that my WeChat account is publicly discoverable， I get many requests from strangers. The most recent identified was a man named “Steven，” a woman named “Zitong，” and another with the handle “The Moonlight is Romantic.”

“Moonlight，” who had a rather busty profile photo taken on a beach， included the message “Hatty， my number has changed， please add my new number.” This pretend familiarity prompted a reaction—how could I have forgotten this person？—and a note from WeChats system seemed to add to her credibility， suggesting I was in Moonlights phone address book already. This， police have warned， is one of the oldest tricks in the book： Moonlight could have simply bought my number and saved it toherphone.

Steven was the only one with a WeChat Moments feed. He posts once a day， always two photos per update—tea with friends， attending a string quartet， visiting a park—but none with any faces visible. Albums of generic photos and video are sold on Taobao for as little as 8.8 RMB each for semi-legitimate purposes; according to one seller， their target customers are “social media influencers who want to drive up views.” （If Steven does turn out to be a forgotten friend with odd posting habits， I apologize.）

Recently， another contact I dont remember sent me a QR code that promised to reveal which of my followers was a bot. Those whove opened it report that its essentially a phishing link： The code redirects to the account of a “bot-checker” who， once added， will ask for approval to log-in to your account on a WeChat desktop app to “run tests.” Since a persons WeChat account is often linked these days to their QQ Messenger， taxi-hailing， food-ordering， financial planning and a host of other service accounts， once login information is compromised， the problems add up.

An epidemic of scams reported in late 2018 took advantage of the ubiquity of delivery services， as scammers contacted WeChat victims by claiming to be “couriers” offering compensation for lost packages; a QR code directs users to a mock login page for payment platform Alipay， requesting a PIN. Because WeChats browser doesnt display URLs， phishing sites are harder to detect （and can be hidden further in other WeChat features like QR codes， “red envelope” cash transfers， group-buying invitations， and mini apps）.