4 X Security Team

If you needed a university certificate in China during the last couple of months, there’s a big chance that a group of ten people could have supplied with you such, going a step further and adding your details in more than ten government databases across different provinces in the country, making $300k in the process.

Shanghai Daily is reporting on this sophisticated group of local hackers who were selling “valid” educational certificates by modifying government databases. How they got caught? Apparently, by cross-checking the validity of the certificate, and since they couldn’t hack each and every database in order to add a reference to it, their business model was quickly detected and shut down.

“The suspects sold fake certificates to make money. Since authentic certificates can be checked on government Websites, they allegedly attacked databases and added false information, the report said. The scheme was discovered after someone purchased a fake doctor’s certificate to apply for a business license in Zhejiang Province in June. Zhejiang authorities found the certificate was faked even though the information on the Jiangxi Public Health Department’s Website matched it, the report said. The Jiangxi Public Health Department checked the database and found it was attacked several months and that many statistics were distorted. It reported the case to police.”

Whereas China has a very strong reputation on dealing with local cybercrime attacks in a very short time frame, it has perhaps one of the worst reputations across the globe when in comes to the big picture, with Chinese networks topping each and every chart on malicious Internet activity. Is there a double standard on fighting cybercrime in China? Depends. There’s no shortage or organizational bodies fighting cybercrime in the country, however, as in many other countries there seems to be a lack of political awareness on how severe the situation has gotten while they were trying to assess its severity, a situation which when combined with the lack of right priorities set, speaks for itself.

As far as this hacking ring is concerned, once the people behind it could add authentic entries into the database, they could have also taken a peek at others, which in the context of China’s overall bureaucratic mentality for anything related to cybercrime, could easily turn into a major espionage case — or they can easily make it look like one. Moreover, when there’s demand for a particular good or a service, there’s also supply :

“Li said demand for fake certificates was strong, according to the report. He contacted his friend surnamed Wang to attack the government databases and validate his false certificates, the report said. The investigation showed Wang attacked more than 10 government databases in Jiangxi, Hubei, Guizhou, Sichuan, Jiangsu and Liaoning provinces from March this year. Wang sold the user rights of every database to Li for 5,000 yuan to 8,000 yuan, the report said.”

From a security perspective, detecting the fake certificate seems to have worked since these provinces are either not syndicating their databases and trusting a single database as a central point which when once hacked and modified could distribute false data across the rest of the provinces, or the data was cross-checked via offline sources or historical copies of the database. If bureaucracy can help fighting cybercrime by ensuring that a clerk doesn’t trust everything he sees on his monitor, and prompts him to cross-check with different databases “just for the record”, then that’s one of those rare cases.

[Source: zdnet]