How Hackers Take Abandoned Chinese Uber Accounts for a Wild Ride
One chilly January morning, Xiang Xiaojiao woke earlier than usual and reached for her phone. She was jolted out of her daze by a flood of notifications. To the 30-year-old’s surprise, while she had been soundly sleeping in her home in Chengdu — the capital of southwestern China’s Sichuan province — she’d been charged for a series of Uber journeys she’d supposedly made almost 11,000 kilometers away in Ontario, Canada.
Overnight, someone — or some people — had used Xiang’s Uber account and gone wild at her expense. They’d made nine journeys within six hours, totaling over 175 Canadian dollars ($140) — all of which had been charged to Xiang’s credit card.
The trip receipts made for bizarre reading: At 12:30 p.m. local time in Ontario, someone took a cab driven by “Michael” from the city of Markham to North York, a neighborhood of Toronto around 10 kilometers away. Half an hour later, they hailed an Uber driven by “Gurrattan” in Mississauga, a city around 30 kilometers from North York.
That same month, 24-year-old Angelica Xu was doing some soul searching. Two years earlier, when Xu was still a college student in New York City, her classmate surnamed Wang introduced her to a mysterious yet tempting business opportunity. Now, Xu was starting to wonder what she’d gotten herself into.
Over brunch back in 2016, Wang told Xu that she knew a way to get Uber rides for up to 60 percent off, and forwarded Xu a contact called “A+ Uber Caller” on WeChat, China’s leading messaging app. “No one knows how they get the bargains,” Xu recalled Wang saying when she asked about the origins of the cut-price rides. “People say they either hacked into Uber’s system, or used a former Uber employee’s discounts.”
That night, out of curiosity, Xu ordered a cab through “A+ Uber Caller” for the first time. It couldn’t have been simpler: Xu sent the mysterious contact her pickup and drop-off locations through WeChat, and around 15 minutes later, the Uber agent replied with a screenshot of the Uber ride status, including the driver’s name, phone number with some of the digits blurred, estimated time of arrival, and the vehicle’s license plate number. Xu then sent the agent cash through WeChat’s in-app payment service.
“It was extremely cheap and easy,” said Xu, who only paid the yuan equivalent of $14 for a $35 ride that night. She’d never imagined that an Uber could be ordered like that. Xu’s friend Wang was also happy — she’d received $20 from the agent as a referral reward. Despite lavish lifestyles on their parents’ coin, cheap rides appealed to overseas Chinese students like Xu and Wang. Xu wasn’t short on cash, yet she found herself contacting the agent every now and then when she felt like a cheap ride, and even scored referral bonuses herself by recommending the service to a couple of close friends.
But while Xu enjoyed the service, she was also sometimes baffled. The screenshots her agent sent her showed that they were using China Unicom, rather than a U.S.-based mobile provider as Xu had assumed. The Uber agent seemed to order cabs for Xu under other Chinese names, sometimes “YY,” “Ding Ding,” or “Peng.” Xu was told to memorize the name on the app, just in case her Uber driver asked for it. “I felt like a phantom rider whose real name could not be exposed for unspeakable reasons,” Xu told Sixth Tone. “[I thought] there must be a catch somewhere — it was all too good to be true.
In January, the puzzle pieces started coming together. Xu’s sister sent her an article that had been shared in a WeChat group for overseas students, warning Chinese students to stop using Uber agent services, which it said were a kind of credit card fraud. The WeChat group’s admin immediately removed people who had been promoting their Uber agent businesses.
Xu, who hails from Shenzhen in southern Guangdong province and now works as a trade support analyst, has since stopped contacting her Uber agent — but some of her friends still do. “Whenever my friends ask me to lend them some yuan on WeChat for a cab, I know they are using Uber agents,” said Xu. Even now, she still has the occasional person recommending Uber agent services to her.
Stories like Xu’s and Xiang’s keep happening. In December last year, Chengdu Economic Daily reported that a local man surnamed Zhang was charged over AUD$60 ($47) for a ride he never booked in New South Wales, Australia. Other Chinese newspapers have also reported cases of people’s Uber accounts being used for overseas rides they say they had never ordered. There have been reports of these “phantom rides” in other countries too, including in Singapore, the U.K., and Mexico. In 2015, news website Motherboard reported that active Uber accounts were being sold on the so-called dark web — encrypted areas of the internet that often harbor criminal activity. Motherboard said it had found evidence of people selling 20 “hacked” Uber accounts for $16.50, 50 for $32, or 100 for $54.
But in China, where Uber no longer operates, purveyors of phantom Uber accounts don’t need to rely on the dark web. In August 2016, Uber sold its China business to domestic rival Didi Chuxing. Like many Chinese Uber users, Xiang — the Chengdu resident who woke to find that she’d paid for trips while she slept — deleted her Uber app after the buyout. But Xiang had forgotten to disconnect her payment information from the app before deleting it, leaving her Uber account still in existence and ripe for harvesting by a business-minded hacker.
A hacker like Er Duo, a former Uber agent based in Liangshan Yi Autonomous Prefecture in southwestern Sichuan province, for instance. Er Duo — a pseudonym which translates as “ear” — told Sixth Tone that most Uber accounts utilized by agents were accounts left abandoned by China’s former Uber users. “Many [Chinese Uber users] deleted the app without unlinking their credit cards — even I did that at first,” said Er Duo, “Plus, the amount charged for each Uber ride is so small, it’s not even noticeable for some credit card holders.”
Er Duo discovered the Uber agent business by chance last summer while browsing Tieba, a Reddit-like forum owned by tech giant Baidu. “Someone posted about wanting to recruit new apprentices into the [Uber agent] business. They said it was big money,” Er Duo told Sixth Tone over WeChat messages. He found the internet flush with resources for prospective Uber agents. On Tieba, vendors even offer online hacking tutorials for prospective Uber agents at 0.08 bitcoin ($540) each. On one forum dedicated to Uber agents, Sixth Tone spotted a vendor claiming he had sold 100 tutorial subscriptions in the past 20 days.
Er Duo added himself into over 35 WeChat groups for overseas Chinese students so he could directly advertise his business to potential clients. He even opened an online store on China’s biggest e-commerce platform, Taobao, hoping to cast his net wider.
To Er Duo, the hacking part was easy. Hackers use something called “dictionary attack” to get into the disused Uber accounts — a technique that allows them to defeat the authentication mechanism by generating hundreds or even millions of potential passwords. With zero coding or hacking experience, Er Duo purchased a password-cracking tool and an online tutorial which totaled 10,000 yuan ($1,460), and started his own business. But Er Duo was late to the game, and he ended up leaving his business behind last year. “The competition was too tough. I could only make a couple hundred yuan on a good day, while others could make hundreds of thousands of yuan within a month,” said Er Duo, adding a string of “hahas” at the end of his message.
Er Duo explained that most hackers chose Uber as their target because payments can be automatically deducted from users’ accounts without the user having to verify the payment. “Lyft is harder, but Uber is very easy,” he said, explaining that there aren’t many agents worldwide for U.S.-based ridesharing company Lyft, as the app has a stricter payment authentication system — and has never operated in China. Uber also allows multiple devices to log into the same account at the same time, making it more vulnerable to hackers. In October 2016, Uber was hacked, and the data of over 57 million riders and drivers was stolen. Instead of notifying users, Uber paid the hackers $100,000 to delete the data and keep the hack quiet. Last year, Uber’s new CEO Dara Khosrowshahi published an open apology revealing the breach, but insisted that there was “no evidence of fraud or misuse tied to the incident.”
Another Uber agent, who asked to be identified as “Big Brother Jun,” said he knew nothing about the technical side of the business. Big Brother Jun, who advertises his business in a Baidu Tieba for Uber agents worldwide, is responsible for the sales section of an Uber Agent chain. He buys hacked Uber accounts — known as “pin heads,” since the location icon on Uber looks like a pin — from dealers, and the accounts are then used to call cabs for the clients. On Tieba, Uber agents and hackers have developed their own insider slang to evade the authorities. In addition to “pin heads,” they call themselves “nurses,” because they administer “pin insertion,” or hacking, into Uber accounts. “Pin heads” are sold to Uber agents like Big Brother Jun in wholesale bundles, and agents make money by pocketing the difference after each Uber ride.
Big Brother Jun sells to Uber agent users all over the world, including those in the U.S., Canada, and Australia. “It’s easier to target the overseas Chinese, since more people use Uber there,” he told Sixth Tone, adding that some overseas Chinese students even became Uber agents themselves. “They just do it to make some pocket money — you know, most of them live an indulgent lifestyle,” said Jun, who later blocked Sixth Tone after he was asked if he was aware that he could have committed credit card theft.
The Uber agent service appears to be just the tip of the iceberg for a shady world where overseas Chinese benefit from apparent credit card fraud. New York-based Xu told Sixth Tone that her friend Wang also booked discounted Airbnb through the same Uber agent. In a WeChat group called “11.10 College of Raveology” — a group for U.S.-based Chinese students to find friends with whom to go to rave parties — a number of users with “agent” in their name advertise new services on a daily basis. There are half-price Airbnbs, concert tickets, apartment rent payments, phone bills, and even tuition fees — all of which likely take advantage of hacked accounts or credit card information, if past scam cases reported in Australia and the U.S. are anything to go by. “Give me your student account and password; I’ll pay your fees at a 30 percent discount,” a user named Tuition Agent told Sixth Tone. “You can pay me in yuan over WeChat.”
Back in Chengdu, Xiang was struggling to deal with the late-night rides under her name, never entertaining the idea that her own compatriots were likely behind the theft. She immediately froze her bank account and contacted third-party payment platform Alipay, which is linked to all of her bank accounts — including the one that was used to pay for the Uber rides. But Alipay couldn’t help. Instead, she was told to report the issue to Uber’s customer support directly and ask for a refund, since the transactions didn’t require any authentication or passwords to go through.
Xiang sent an email to Uber’s customer support, only to find that the email address was no longer monitored. She contacted Didi Chuxing, which handles Uber’s business in China, but was told that since the transaction happened in Canada, she had to contact Uber’s overseas team. Eventually, she signed up for an entirely new account on Uber’s international edition just so she could contact North America’s customer support team about a refund.
Sixth Tone contacted Uber for comment, and asked if the company was aware of the ghost rides happening in China and worldwide, if they are taking measures to prevent fraud, and if there’s any possibility that the Chinese hackers are utilizing the data leaked during Uber’s 2016 data security incident. “Due to our privacy policy, we will have to speak directly to the account holder,” Uber replied, directing Sixth Tone to the company’s help page. Wang Mingze, the regional PR manager for Didi Chuxing Shanghai, suggested users contact credit card companies — rather than the ridesharing companies — for a refund if they experience any unauthorized charges.
But Chen Shaoting, a consumer fraud lawyer in southern Guangdong province, said that Uber had the obligation to investigate any abnormal situation, take measures to prevent unauthorized charges from happening, and inform users about any unusual charges. “If a person’s Uber account was charged for multiple rides in such a short period of time in a bizarre location, why didn’t Uber warn its user or just suspend the account?” Chen said.
Zhang Zhen, spokesman of China Consumers Association, told Sixth Tone that the association had never received a complaint from domestic consumers who’d been charged for such a ghost ride, and were unable to take any action to protect consumers against activities that happened abroad.
Chen said victims were unlikely to report the crime to the police — instead, they would just try to prevent more losses and get their money back. But if they did try to take legal action, overseas students using Uber agents could be in danger, he said. If they were aware that they had been part of a scam while using the discounts, they could face charges such as possession of stolen goods in many jurisdictions, said Chen. Chen also believed that social media platforms such as WeChat, Baidu’s Tieba, and e-commerce site Taobao have a “duty of care” to block online scams. “The company is not at fault if it isn’t aware of the situation in the early stage of the fraud,” said Chen, “But if it’s still not taking any action after the fraud has been reported in the media, the company should bear civil liability for failing to prevent the crimes.”
A WeChat spokeswoman said she had never heard of the Uber agent service, and would make a statement once she had more details. Baidu Tieba’s spokeswoman said the forum had a zero tolerance policy for criminal users and posts. “[Baidu Tieba] always takes strict measures against highly suspicious content, such as banning, deleting, or manually censoring [it],” she said in a WeChat message, although both Uber agent online forums that Sixth Tone found on Baidu Tieba remained online at the time of writing. When contacted for comment, a Taobao spokeswoman asked for the links to Uber agent online stores, but did not respond to Sixth Tone’s questions.
After a series of emails, unanswered calls, and texts, Xiang eventually got her refund from Uber one afternoon, four days after the phantom rides had been charged to her account. She never called the police, but immediately warned her colleagues to disconnect their credit cards from Uber.
Xiang wasn’t surprised that there was a gray industry behind the Uber agents — as someone who works for an internet company, she’s seen plenty of similar cases discussed online. She even blogged about her experience, hoping it would help other victims get their money back. “What truly surprised me is that … the hackers and the users … it was most likely all Chinese behind it,” sighed Xiang, who initially assumed her account was stolen by Canadian hackers.
When Xu, the U.S.-based Uber agent user, told her father about what had happened, she got criticism, not sympathy. “Dad said it was always a zero-sum game,” recalled Xu. She continued, quoting her father: “You might benefit from the Uber agent this time, but next time, you could be the victim.”
Editor: Julia Hollingsworth.
(Header image: Lang Xinchen/IC)