Home » Data Protection » Malware/Cybercrime

Inside the Global Hacker Service Economy

Gozi, MPACK, 76Service, iFrames - these are the new face of malware and identity theft. CSO follows a researcher behind the curtain of modern electronic crime.

The process of fully deconstructing Gozi took Jackson three days. On the third day, as he pored over the source code, Jackson noticed that the sample on his lab computer was communicating with an IP address that he thought was owned by the Russian Business Network. RBN is a notorious service provider out of St. Petersburg, Russia that Jackson and others say is an ISP with a reputation for accommodating spam and other malware outfits. Normally, Jackson thought, bots would be stealthier about communicating with RBN. Maybe this was a mistake. Curious, he decided to poke his head in and look around on the RBN server that Gozi was talking to.

And what he found stunned him. As he sailed off through the servers and in and out of files and almost over a database to where Gozi’s home base was, Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.

It was early February by the time he found a 3.3 GB file containing more than 10,000 online credentials taken from 5,200 machines—a stash he estimated could fetch $2 million on the black market. He called the FBI as he prepared to go undercover to learn more. If he had known at the time what pesdato, that Padonki slang word meant, he might have uttered it under his breath when he realized what he had stumbled on to.

Jackson had stumbled on to the next phase of Internet crime. Gozi was significant not because the Gozi Trojan was innovative or hard to detect. It wasn’t. It was in many ways no different than its four-year old ancestor Berbew. No, Gozi was significant, Jackson thought, because it wasn’t really a product at all. It was a service.

The Golden Age
Gozi represents the shift taking place in Internet crime, from software-based attacks to a service-based economy. Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates.

Already every month, Lance James’ company Secure Science discovers 3 million compromised login credentials—for banks, for online email accounts, anything requiring a username and password on the Internet—and intercepts 250,000 stolen credit cards. On an average week, Secure Science monitors 30-40GB of freshly stolen data, “and that’s just our company,” says James.

Given that, you think you’d have heard more about Gozi, or about this chronic condition in general. But you haven’t. Beyond the research community, Gozi and the other Trojans stealing all this data have been largely ignored. A half-dozen CSOs and CISOs contacted for this story, including some representing banks and online merchants, had either never heard of Gozi or vaguely recalled the name and not much else. And why would they? Gozi made it through a news cycle and it was reported without context, with a tally of the known damage, like a traffic accident. And yet, Gozi wasn’t that at all. It was an idea, a business model.

Even after it fell out of the news, and despite the fact that Don Jackson and the FBI believed they knew how it worked, and who was running it, the Gozi Trojan continued to adapt to defenses, infect machines and grab personal information.

“Do you have a credit card? They’ve got it,” states another researcher who used to write malware for a hacking group and who now works intelligence on the Internet underground and could only speak anonymously to protect his cover. “I’m not exaggerating. Your numbers will be compromised four or five times, even if they’re not used yet.”

“I take for granted everything I do on the Internet is public and everything in my wallet is owned,” adds Chris Hoff, the security strategist at Crossbeam and former CISO of Westcorp, a $25 billion financial services company. “But what do I do? Do I pay for everything in cash like my dad? I defy you to do that. I was at a hotel recently and I couldn’t get a bottle of water without swiping my credit card. And I was thirsty! What was I gonna do?”

That’s the thing about this wave of Internet crime. Everyone has apparently decided that it’s an unavoidable cost of doing business online, a risk they’re willing to take, and that whatever’s being lost to crime online is acceptable loss. Banks, merchants, consumers, they’re thirsty! What are they gonna do?

The cops lack resources and jurisdiction. And in some cases, security companies are literally shifting their strategies away from trying to secure machines connected to the Internet; they’re giving up because they don’t believe it can be done.

It’s a conspiracy of apathy. For the criminals, this is great news. They stand blinking into the dawn of a golden age of criminal enterprise. Like Barbary Pirates in the 18th century, and like Colombian drug cartels in the 1970s, malicious hackers will run amok, unfettered, unafraid and perhaps even protected. Only they won’t use muskets or mules. They’ll use malicious code to run syndicates that will be both less violent and more scalable than in the past.

Now is the criminal hacker’s time. In Archangelsk, Russia, it is the HangUp Team’s time.

Next: The inner workings of an identity theft service.