Inside the Global Hacker Service Economy

Gozi, MPACK, 76Service, iFrames - these are the new face of malware and identity theft. CSO follows a researcher behind the curtain of modern electronic crime.

1 2 3 4 Page 2
Page 2 of 4

In response to requests he posted, one of these HangUp Team members e-mailed Jackson at an anonymous account. The e-mail told Jackson to log on to a specific IRC chat room with a specific name at a specific time. Jackson, using a machine configured to hide its location, did so.

The room was virtually crowded. “I get there, and there’s lots of conversation. Lots of Russian that’s flying by me,” Jackson says. Everyone spoke freely. Jackson did not sense any fear of law enforcement, or curious researchers, snooping. . In fact, Jackson thinks that a kind of show bidding was taking place. The channel moderator was offering preview accounts to 76service such that the users could tour the site. The hope was they’d come back saying Pesdato! and offer a good price for access.

Jackson asked if he could take a test run, too. If he seemed nervous and unpracticed about doing business here, it was because he was. “The moderator says, ‘You don’t speak Russian. Where are you from?’ I say, ’The UK.’ He says, ‘Only people we know get test runs.’” A few others derided Jackson for his ignorance and, in so many words, told him to go away. And that was that.

Plan B: Jackson called on a friend who followed the HangUp Team closely, almost the way a CIA analyst builds up expertise. He figured this friend may know how to get access. It was a stab in the dark but remarkably it worked. One colleague knew all about 76service, which he said had been online for several months, and he lent Jackson login credentials to

The 76service Business Model

When Jackson logged in, the genius of 76service became immediately clear. 76service customers weren’t weren’t paying for already-stolen credentials. Instead, 76service sold subscriptions or “projects” to Gozi-infected machines. Usually, projects were sold in 30-day increments because that’s a billing cycle, enough time to guarantee that the person who owns the machine with Gozi on it will have logged in to manage their finances, entering data into forms that could be grabbed.

Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found.

A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves).

Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another.

Grabbing forms provides several advantages to both buyer and seller compared with the old model of pulling account numbers out of databases and selling them. For the seller, it’s safer. He becomes a broker; a middle man. He barely handles stolen data. For the buyer, it’s the added value of an identity compared to a a credential. For example, a credit card number alone might be worth $5, but add the three- or four-digit security code associated with that card and the value triples. Add billing address, phone number, cardholder names and so forth which allow a buyer to create new lines of credit and the value can reach into the hundreds of dollars.

Grab the primary and secondary authentication forms used for financial services login in addition to all that, and you’ve hit the jackpot: a real person’s full financial identity. Everything that person had entered into forms online would create an avatar that could be used in the real world to buy goods, apply for credit and passports, buy cell phones, open new bank accounts and manipulate old ones. A dossier like that would be one of the most valuable commodities available on the information black market.

That’s why the subscription prices were steep. “Prices started at $1,000 per machine per project,” says Jackson. With some tinkering and thanks to some loose database configuration, Jackson gained a view into other people’s accounts. He mostly saw subscriptions that bought access to only a handful of machines, rarely more than a dozen.

The $1K figure was for “fresh bots”—new infections that hadn’t been part of a project yet. Used bots that were coming off an expired project were available, but worth less (and thus, cost less) because of the increased likelihood that personal information gained from that machine had already been sold. Customers were urged to act quickly to get the freshest bots available.

This was another advantage for the seller. Providing the self-service interface freed up the sellers to create ancillary services. 76service was extremely customer-focused. “They were there to give you services that made it a good experience,” Jackson says. You want us to clean up the reports for you? Sure, for a small fee. You want a report on all the credentials from one bank in your drop? Hundred bucks, please. For another $150 a month, we’ll create secure remote drops for you. Alternative packaging and delivery options? We can do that. Nickel and dime. Nickel and dime.

Next: The Conspiracy of Apathy details a game of cat and mouse between 76service and law enforcement, and examines why financial institutions have been slow to respond to the new threat model.

The Conspiracy of Apathy

March: Containment

SecureWorks researcher Don Jackson was focused on his technical analysis of form-grabbing software, but he continued correspondence with the source who gave him access to After several email exchanges with Jackson, the source decided that he could trust him enough to share what he knew about the people behind 76service. This is part of what he shared.

He told Jackson that the operation was run by just two people, known as 76 and Exoric. 76 was in Russia. Exoric seemed to be based out Mexico.

76 was a member of the HangUp Team who broke off to launch this service. He probably bought the Haxdoor form-grabbing code grafted onto Gozi from his old crew. He might have traded for it. He also probably had a relationship with the RBN form his HangUp Team days. The lack of manpower beyond the two of them might also explain some of the mistakes 76service made, such as the direct connection to RBN servers and the site configuration that allowed Jackson to view other people’s projects. It appears 76 recruited Exoric for his server-side knowledge, whereas 76 was coding the actual Trojan.

Jackson was sharing all of this with a field agent from the local FBI office, who sent it up to agents in DC, who in turn coordinated with Russian authorities on an investigation, according to Jackson. (The FBI has refused to comment specifically on the case). Meanwhile Jackson contacted Infraguard which in turn shared his findings with financial institutions. Jackson wrote an exhaustive technical report, one of the most detailed ever created, that covered both how Gozi worked and how the service did, too. After he published it, and his PR team spread the word, the press pounced: “Gozi Trojan leads to Russian Data Hoard.”

Gozi had been known to be in the wild for at least three months. But Jackson also believed that the “Winter Edition” of 76service was by no means the first edition. He suspected that 76service had been operating undetected for perhaps as long as 9 months.

But by mid-March, the good guys seemed to be getting ahead of it. Anti-virus and anti-spyware vendors were adding Gozi signatures to their products to detect the bot. 76service servers had been sent on the run as the FBI and ISPs detected and blocked the IP addresses that Gozi connected to, forcing 76 and Exoric to move the site around constantly. Around March 12, the loose coalition of FBI, researchers, ISPs and others finally seemed to get the 76service shut down.

This spurred a fire sale of whatever data had been left unsold at 76service. Jackson says that after March 12, some banks saw hundreds of accounts opened each day that were traced back to Gozi-grabbed data. Some of those account holders managed to make several cash transfers up to $49,000. “They’re playing with limits on fraud,” says Jackson. That is, they know the banks won’t flag 5 transfers under 50 grand, but will flag one $250,000 transfer. Jackson says many of these transfers were wired to, of all places, Belgium, though he didn’t know if anyonehad been caught picking up the cash there. Some other accounts were detected and blocked from activity before transfers were made. Jackson says the United States Secret Service was briefed. (The USSS declined to comment). Gozi and 76service finally seemed to be contained.

But it hardly mattered. By this time, another form-grabbing Trojan had been discovered: Torpig.

Next: Distributed pain for banks and consumers; concentrated gain for hackers.

The new Trojan was called Torpig. Its technical architecture and its service were nearly identical to Gozi and 76service, including links to RBN servers. But Torpig was engineered to target bank forms specifically—excluding less useful (read: valuable) credentials like email logins or logins for newspaper sites. Torping shipped with a database of financial Web sites’ URLs and when it recognized one of these URLs in the browser’s address bar, it woke up and added a redirect command to the URL.

Jackson says that intelligence suggested that the criminals had set up real accounts at the banks on Torpig’s hit list and then captured their own legitimate transaction traffic to see what “normal” transactions looked like at each bank. This way, they could tailor each banks’ redirect command to mimic a normal transaction, so that filters wouldn’t register anomalous activity. Jackson called it “Gozi on steroids.” It has proven much more problematic to researchers, banks and law enforcement. Shutting it down has been far more difficult than taking out Gozi, too, because Torpig communicated with a network of servers. Gozi had only connected to the one RBN server.

That is, until March 21, when 76service was discovered back online, running off of a new server in Hong Kong. By March 27, Jackson had confirmed that it used a new variant of Gozi, undetected by filters. It was the “spring edition.”

Distributed Pain/Concentrated Gain

The HangUp Team’s online art gallery is populated with a disturbing mishmash of images and messages like “Fraud 4ever” and “In Fraud We Trust” (One picture, for example, combines a picture of Hitler, a Cannibas leaf and the head of Eugene Kaspersky, who owns a Russian-based anti-virus company, on a platter.) And yes, pictures of its members often include what have come to be hackneyed criminal hacker clichés, with members posing with their cash, for example.

But do not mistake this culture for incompetence. HangUp Team is one a number of highly successful businesses that some researchers claim earn their members millions of dollars per month. “As a security professional you don’t want to say you’re impressed by them,” says “John” (not his real name), the security professional at a large bank who agreed to talk only if he could remain anonymous, because he didn’t have permission from his bank to speak. “But they’re better run and managed than many organizations. They’re properly funded, they have a clear goal, they’re performance driven, focused on a single mission. It’s like an MBA case study of success.”

There are two key tenets underscoring that success: Distributed pain with concentrated gain, and distributed risk.

The more important of these is distributed pain with concentrated gain. The massive size of the market that Internet criminals prey on allows them to spread losses across hundreds or thousands of victims. “If you take $10 off of 10,000 credit cards, you’ve made $100,000 that no one victim either recognized or felt enough to care,” says Jim Maloney, a former CSO at who now runs his own security consulting firm. “Then scale that up to five different banks’ credit cards.” Each bank loses rougly $20,000. “The gain is concentrated for this one hacker group but the penalty to each bank is still written off as acceptable loss.

“Then go to law enforcement. Unless they hear from many victims and can aggregate the problem as one big one, so that the resources required to chase it down are justified, they won’t, they can’t chase it down.”

1 2 3 4 Page 2
Page 2 of 4
7 hot cybersecurity trends (and 2 going cold)