Threat Research

Alibaba turns Gold! Alibaba Gold Suppliers turn… Targeted

By Roland Dela Paz and Kenny Yang | November 11, 2015

Today, Alibaba Group Holding Limited broke its own sales record during the world’s biggest online shopping event, China’s Singles Day. Alibaba is the largest e-commerce company in China providing consumer-to-consumer (C2C), business-to-consumer (B2C) and business-to-business (B2B) sales services through web portals.

Alibaba’s success comes with a price, however. Over the years, it had inadvertently attracted scammers trying to defraud the platform’s users. In fact, a good portion of this happens on their B2B website where countless users have been victimized.

Perhaps one of the principal rules advised to Alibaba buyers is to only do business with Gold Suppliers. "Gold Supplier" is a premium Alibaba membership where suppliers pay around $10,000 USD annually for a Gold Supplier logo to appear in their profile (pictured right). Identities of Gold Members are verified by a reputable third party security service provider, therefore it makes foreign buyers more “comfortable” doing business with them.

Golden Rule: Do Business with Gold Supplier… or Not

We found a group of cybercriminals targeting Alibaba Gold Suppliers. Initially, the cybercriminals send a fake inquiry to a Gold Supplier via the Alibaba web portal. Below is a Gold Supplier email response from a cybercriminal’s fake inquiry:

Figure 1. Response of Gold Supplier to cybercriminal

The cybercriminal then replied with a cleverly-written response to urge the supplier to open malicious attachments:

Figure 2. Response of cybercriminal to Gold Supplier 

Instead of promised documents, these attachments contained binaries of Limitless Keylogger (detected as MSIL/Injector.DJU!tr):

Figure 3. Attached malware

Once the unsuspecting supplier opens the attachment, the malware will steal stored credentials from applications on the victim’s computer such as web browsers and email applications. It will also log keystrokes and grab screenshot, eventually sending all the stolen information back to the cybercriminals.

Equipped with stolen information, the cybercriminals can now access the Gold Supplier's email and Alibaba account to hijack ongoing transactions. They divert payments supposedly wired to the supplier's original bank account to phoney bank accounts that the cybercriminals manage. These phoney bank accounts then serves as a first stage for laundering money back to the real location of fraudsters.

Such an attack is an extremely effective way of scamming as it takes advantage of the business authenticity supposedly promised by the Alibaba Gold Supplier program.  

Conclusion - Verify

There are a number of reasons why Alibaba Gold Suppliers may appear as good targets. First, it saves fraudsters the hassle of setting up believable profiles and answering to buyer inquiries. The trust is instantly there as well for existing customers of the victim business. Furthermore, with Gold Suppliers being able to afford expensive membership fees suggests that they likely deal with bigger transactions and therefore yields more income to cybercriminals.

Altogether, both buyers and suppliers are victims in such case. Not only that it cost both parties money but it can also easily tarnish the reputation of the supplier. As such, we advise Alibaba users to be extra vigilant. Take your time when dealing - get to know the other party, ask questions, and verify email attachments. Regularly changing your Alibaba account's (and accompanying email) password will not hurt, either.

Alibaba is a great platform. It is the epitomy of how well the world is connected today through the Internet, but with its own risks. What is needed is an educated use of the platform and a healthy dose of paranoia. After all, what is gold is your own security! 

-= FortiGuard Lion Team =-