 Hello everybody, I'm Joe Yizu and I come from China. Today my sharing topic is fishing and online scamo in China. I have been working for China Micro since 2005. At the company I focus on the web thread and my role is the architect of Scribble NSS engine which protects products from the export attack. Since last year, I also began research fishing in China and try to figure out the difference between Chinese fishing and global fishing. If you are also interested in fishing, so you must know fish tank. So fish tank is just a population report showing only 3% fishing sites happening in China. So is it true? Okay, let's hold on this question. Let's discuss another question at first. So what are fishing sites that need to be successful? I think it is a user base or population. Five years ago, we never heard about any fishing sites targeted to Facebook. But today, Facebook is one of the most favorite bronze of fishers. At China, we have the biggest population in China with almost 1.3 billion. We have half billion netizens. We have a company named QQ just in case you are not familiar. So it is a company of IIMO and social networking which has 600 million users which is almost the same size as Facebook. For the Taobao, which is similar as the Yi Bei has 400 users. So many users at China. So do you still believe only 3% fishing sites happening in China? So actually, we have some data from the China Micro-Web thread protecting system. We found over 100 fishing sites targeted to QQ per day at our system. On the contrast, PPL reported only less than 100 fishing sites targeted to PPL. So on the contrast, we can conclude that Chinese fishing is more popular than all we can imagine. So in this sharing, I will answer what is the trickiest of Chinese fishing. I think, OK. Next, we will introduce this hot event. Did anybody hear? There is a massive fishing attack which targeted the Bank of China in this laboratory. Some customers of Bank of China lost over $150,000 after they logged in this fishing site. At the laboratory, 500 fishing sites found which targeted BOC. How this happened? The criminal group will send an SM message at first to the customer, you need to update the e-talking and give some links. If the user opens a link, we are like these snapshots. These snapshots are totally copied from the Bank of China except this. The link behind this image will let the user go to the login page. At the login page, they need to input user name and password and the key from the e-talking. What is the e-talking? Actually, e-talking like this. This is an e-talking. It is a device. Bank of China gave this device to his customer and this e-talking will generate a key by random seeds. It uses the RSI algorithm and Bank of China uses this key to identify the user physically. However, the algorithm is okay but the verification procedure has some problem. The key at the e-talking will be spared after 30 seconds. So once the hacker gets the information from the web page, they will automatically post those information to real Bank of China and transform it immediately. So this story also tells us two-step verification never works. Even we use the mobile phone to replace the e-talking and receive some key from the Bank. Because the Bank never know, the person behind the screen is a fissure or a real customer or a dog. Okay, ironically, so there is also a target attack event to which target RSI company, some hacker send the e-mail to the RSI company and try to steal the design of e-talking. I think if they read the news from China, I think they just host the e-talking site because this make money more easily. Okay. After having given this introduction, I would like to explain Chinese efficient into three categories. The first is traditional fishing site, just like a previous example, Bank of China or more popular example, Taobao. I will share Taobao example toward the end of sharing. And another category is the four-challenged site. Most of the four-challenged site don't have any target bronze. They just usually happen to ticket fishing. We should use the in and by promising some triple tickets. And the last category is the scum site. There are a lot of scum. For example, notary scum or stalker scum. What is the notary scum? Typical notary scum or flow will be like this. You will receive a message. You are so lucky. You already won a prize. If you follow the link and open the page, so the page will potentially be our official website and convince you to click next, continue browsing. Even truly, at the last page, they will ask you to pay the income tax or notary fee before you receive the prize. I think if you pay it, but you will never receive the prize. Okay. Most of notary scum is never do some famous bronze. For example, QQ or some online game or World War, or CCTV. CCTV is the most watched national TV station in China. This guy in the picture is a famous TV show host. His show is a quiz game, and people in this show will receive the prize by answering some questions. So the fish are leveraging his popularity and let the users believe they can get the prize from this website. So notary scum is quite simple, but the ROI is quite high. Most notary scum is a message, a fishing message is delivered by the Chinese IM service. For example, QQ or Ali Wanwan, the little one is the Taobao IM service, which also delivers a lot of traditional fishing sites which target the Taobao. However, QQ and Taobao already do a lot of work to detect those fishing messages. How Chinese hack handle this problem? Actually, Chinese hack will compromise some websites and inject iFrame using this iFrame to simulate a pop-up window from the IM message. So this is quite similar, right? So at China, the fishing is quite... get the money easy. So Chinese hack prefer to deliver the fishing message, not deliver malicious P.E. now. Okay, another kind of scum is about stock and securities. If you search some security companies at the search engine, you will find a lot of fake securities. They will promise you can get 100% profit in one month if you join their members. But typically, it's a lie. Most of scum is easy to identify. If you are the person, you believe there are no free things as a free launch. Okay, but for the future line of sight, which are harder to identify? Both some hack official will buy some keywords. For example, trip ticket from the Shanghai to Beijing. You may get this fishing site. Both side share the same template, just the domain name is different. And in China, for example, during the Chinese New Year, they almost have 250 million people need to go home. The ticket is quite hard to get. So the ticket fishing is most popular at this time. A lot of ticket fishing sites will appear. Okay, the last section I will share the Taobao fishing. Taobao is similar as Yibai. Yibai is $60 billion trade happening in 2010. The REP account is similar as the PPL, which supports most of Chinese banks. Those are Chinese bank flags. Logo. Okay, how these fishers get the money from the victim. Let's review our video. Okay, at the top, if you want to buy something, you may discuss with the vendors. The vendor will give you some detail. For example, color, price, discount or something, just like that. So some fake the vendor will send those fake messages to the victim. This is an order page. If you click the order now, we will go to the charge page. You need to put your password. Okay, this is a charge page. You will go to the charge page for the mobile phone number. Okay, go to the charge page. This is a password for the REP, similar as the PPL. Okay, if you click now, confirm. Your money at the REP will be lost immediately. But this is not finished yet. The hackers want to get more money, so they will show the fail to pay message. So you may choose some bank at the below. Okay, we choose the ICBC, the biggest bank at China. This is a charge page of ICBC. Actually, this is a fake ICBC. So it is totally copied from the ICBC. Okay, let's see another bank, China Construction Bank. Okay, this is China Construction Bank. Okay, continue. A little slow. Okay, this charge page is totally copied from China Construction Bank. Okay, so this website is quite professional right. How do you think it is difficult to build this fishing site? My answer is no. So you can buy the source code from the search results. Okay. If you search the fishing source code at Google, you will find the price is quite low. Let's send the price you paid for this event, Defconn. Okay, only $150. Most of the fishing site is copied by templates. Actually, I have a copy of Taobao fishing site. Okay, this fishing site, this is a route folder and different folder means different bank for different charge page. This is China Construction Bank. Okay, some local for his credit card. How can I get this source code? Actually, we successfully compromised this website. We get the admin's Twitter of password for the manager system. Okay, let's login. Okay, different admin means different bank. Okay, this is a fishing site. Okay, this is a critical number user name and we will see the CCV number in the end. You can, so the back manager, sorry. So the management system is also professional. Okay, that is all today about sharing. So let me give you a summary. So most of the popular type at the China is Scam and Fogiland sites. And notary scam will target some famous brown websites. And the fishing UIL will be delivered by the Chinese IMO, black SEO and compromised server. So that's all. Ending question.