Inside the Global Hacker Service Economy

Gozi, MPACK, 76Service, iFrames - these are the new face of malware and identity theft. CSO follows a researcher behind the curtain of modern electronic crime.

1 2 3 4 Page 3
Page 3 of 4

And if they did decide to open an investigation, who do they go after? That’s the distributed risk element. Groups like the HangUp Team, and 76 himself, deal in access to credentials. 76, for example, barely handles stolen data. He also contracts out the distribution of his malware. And he sells to people who themselves don’t commit fraud with the credentials but usually turn around and sell them to still others who actually commit the final fraud by turning stolen information into money and goods.

That’s several links in a supply chain all sharing the risk (It’s instructive to note that, according to several researchers, one of the biggest frustrations for groups like HangUp Team recently has been “newbies” to the credentials market who buy a credit card and immediately rack up tens of thousands of dollars in luxury goods on that card—essentially concentrating the pain and raising a red flag that can threaten to put the good guys on the scent. It’s reminiscent of the movie Goodfellas, when, after the Lufthansa heist, Robert DeNiro’s character nervously castigates his crew for bringing attention to themselves by showing up at a Christmas party with new cars and furs.)

The Internet criminals’ model perfectly mirrors the drug cartel model, which relies on a stratified market that spreads the risk out to pushers, distributors, mules, manufacturers, and all the money flows up, to the cartel. Disrupting the middle men—and that’s what HangUp Team is becoming—doesn’t solve the problem. Other middle men will simply arise to fill the void, much the way Smash started the IAACA to fill the void left by ShadowCrew when it was taken down.

“Information is currency, that’s the radical change,” says Chris Rouland, CTO and IBM Distinguished Engineer with IBM’s Internet Security Systems group. “These guys don’t need to steal from anyone. They’ve moved themselves way up the value chain.”

Next: How hackers use iFrames to distribute malware.

April: The iFrame Problem

In early April, the Spring Edition 76service server in Hong Kong was taken down. Filters added the new Gozi variant to their lists of detected malware. On the run again, 76 and Exoric would fold up their tent and modify Gozi to be undetectable again while they found a new place to set up shop. And when they did, the steps would start again, the two sides entwined in an endless, uneasy foxtrot.

Jackson continued to help where he could but much of this was out of his hands. He had since immersed himself in another facet of 76service—its distribution mechanism.

No matter how inspired the idea of a subscription to infected machines was, or how cleverly engineered the bot that infected those machines was, 76’s and Exoric’s success with 76service, surprisingly, relied on something they didn’t develop themselves, but rather contracted out: distribution, for which they used iFrames, a browser feature that allows Web sites to deliver content from a remote Web site within a frame on a page. Think of stock quotes origination from one site streamed into a small box on another site. (For more about iFrames, see Death by iFrame.) 76 and Exoric used iFrames to infect computers – but in April they had contracted this part of the work out to another service,

Jackson found a partial list of sites hosting the iFrames used exclusively for Gozi. Jackson sampled 5,848 pages, only a portion of the infected pages on his partial list (meaning 76 and Exoric probably paid tens of thousands of dollars for iFrame infections). Some of the iFramed sites on his list were offline. Some had been cleaned up. But 2,079 of them, more than a third of the sample, still had the code online, ready to deliver new, undetectable versions of Gozi as soon as they were ready. A month later, when Jackson took attendance again, 98 percent of the 2,079 were still hosting the iFrame.

Even if Gozi was gone for good, the iFramers would be happy to resell access to these iFrames to the next malware developer.

Transferred Risk

As much as the HangUp Team has relied on distributed pain for its success, financial institutions have relied on transferred risk to keep the Internet crime problem from becoming a consumer cause and damaging their businesses. So far, it has been cheaper to follow regulations enough to pass audits and then pay for the fraud rather than implement more serious security. “If you look at the volume of loss versus revenue, it’s not horribly bad yet,” says Chris Hoff, with a nod to the criminal hacker’s strategy of distributed pain. “The banks say, ‘Regulations say I need to do these seven things, so I do them and let’s hope the technology to defend against this catches up.’”

“John” the security executive at the bank, one of the only security professionals from financial services who agreed to speak for this story, says “If you audited a financial institution, you wouldn’t find many out of compliance. From a legal perspective, banks can spin that around and say there’s nothing else we could do.”

The banks know how much data Lance James at Secure Science is monitoring; some of them are his clients. The researcher with expertise on the HangUp Team calls consumers’ ability to transfer funds online “the dumbest thing I’ve ever seen. You can’t walk into the branch of a bank with a mask on and no ID and make a transfer. So why is it okay online?”

And yet banks push online banking to customers with one hand while the other hand pushes problems like Gozi away, into acceptable loss budgets and insurance—transferred risk.

As long as consumers don’t raise a fuss, and thus far they haven’t in any meaningful way, the banks have little to fear from their strategies.

But perhaps the only reason consumers don’t raise a fuss is because the banks have both overstated the safety and security of online banking and downplayed negative events around it, like the existence of Gozi and 76service.

So did the banks create a false sense of security or did consumers drive them to not address it through their apathy? The banks themselves might argue that they are acting responsibly. It’s hard to tell since most decline to talk about the problem. Bill Nelson is president of the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a group for bank security executives where they can safely share intelligence and other information. Membership in the FS-ISAC has increased from 68 in 2004 to 2,200 this year. “That’s not a lack of interest,” says Nelson.

Nelson was the closest person to bank security executives who would speak on the record. He bristled at the notion that banks are carelessly pushing services they can’t secure. “It’s being misinterpreted that banks don’t care about security. They spend millions of dollars on this. These are good, quality people,” Nelson says.

If anything, say Nelson and others, blaming banks is precisely backwards. If you want to point fingers look at their customers, who’ve created the demand for the product in the first place. “It’s kind of ridiculous to think you wouldn’t, as a bank, use the Internet as a transport,” notes Hoff. “If you’re not offering some form of online banking, you’re going to wither away and go out of business.”

Eric Johnson, an economist at Dartmouth who recently published a study on malware on peer-to-peer networks says, “Customers are the banks’ worst enemies here. Customers are exposing lots of material that creates an environment for identity theft.”

Indeed, many malware problems are intimately connected to insecure PCs and finicky consumers who, even if they say otherwise, value convenience over security. As one CISO at a bank put it—anonymously, of course, “Users are pretty dumb.”

Next: MPACK and the Next Wave of Malware recounts the demise of 76service and the emergence of more powerful form-grabbing technology.

MPACK and the Next Wave of Malware

May: A Poor Re-emergence

The hackers known as 76 and Exoric weren’t just the managers of 76service; they were also clients. Through his undercover work, SecureWorks researcher Don Jackson found that Exoric himself owned a project – a portfolio of trojan-infected machines – just like the ones the team sold. Only, since access was free to him, his was a much bigger project, with hundreds of bots focused exclusively on Gozi-infected machines in Mexico and Chile (.mx and .cl domains), and no 30-day expiration. For a while, Exoric also used his own storefront for the Latin and South American markets, called GucciService.

But by May the business was strained by the constant pursuit of researchers writing signatures to detect Gozi and law enforcement working with them to find and take down the 76service servers.

Early in the month, Jackson was able to say “Gozi isn’t working. No one is going to the site.” At this time, his personal site was also the victim of what he termed a poor DDoS attack that lasted 36 hours. Soon after that, when he visited, he found it abandoned, with a simple message: “I choose shadow. Please, never come back again.”

It seemed that, finally, it was over. But it wasn’t, of course. In fact even before Jackson found abandoned, a new Gozi variant was already at work, and it would be learned that it had been infecting machines since at least April 14. This latest Gozi bot was better than ever. It had added keystroke logging as an alternative to form grabbing. And recognizing that researchers were their primary adversaries, the new version added features to stymie detection and reverse engineering. “Every copy of Gozi has a unique infection ID,” explains Jackson. “So when data comes into the server it can check against the ID to make sure it’s a valid infection. This new version also checked to see what your bot had sent before. Basically it could shut you off if you kept logging in without delivering good data, which is what researchers do.” The new version also logged the bot’s IP address so that it could be blocked from communicating with the server.

But there were problems. A programming glitch caused the service to create huge files of redundant information, interrupting service to customers while the duo tried to fix it. “That’s why QA testing is so important,” deadpans Jackson. They had only nabbed about 500MB of data off of 200 infected PCs when their new ISP, which Jackson says was based in Panama, took them offline again.

It was a poor reemergence. Lurking on a discussion board with a colleague who could translate Russian, Jackson found a post by someone named 57, a hacker thought to be part of the HangUp Team. 57 wrote that 76 broke off work with Exoric because the two were spending more time on the lam than they did running the service.

The FBI had wound down on the case, according to Jackson (though in an official statement given to CSO from the press office, the FBI says it welcomes any leads on information related to Gozi and 76service, which it termed “unique”). While they continued to monitor some accounts they knew were connected to 76service, Jackson didn’t think it would progress beyond that. 76service was officially defunct. By early June, 76 and Exoric had dissolved their partnership.

But 57 also seemed to indicate that 76 was back with HangUp Team and busy rewriting the Gozi form grabber. The new architecture would allow 76 to hide the drop servers from prying eyes, making it harder to interrupt or shut services down.

Jackson predicted at the time that a new 76service would follow in kind. After all, 76service didn’t fail because of the service model. It failed because of a lack of manpower to secure and manage the service. It couldn’t scale. “I think they cobbled together Gozi and 76service to see what it could do,” says Jackson. “They realize what they need to do next. They spotted weaknesses. Torpig was the next step; it was better. Now what’s next?” With the help of the HangUp Team, a 76service-like site capable of enduring its own success, will return using some descendant of Gozi or Torpig.

Next: A Radical New Strategy for Banks?

The Radical New Strategy?

If users are, as one bank CISO said, dumb; and if banks can just write off their losses; and if the Internet is fundamentally insecure; and if vendors defenses can’t keep up; and if law enforcement is overmatched; what happens next?

Don Jackson thinks that the banks will simply transfer more of the risk. “The banks are worried but their answer is not to track these guys down or be more diligent about security,” says Jackson, who says he remembers talking about this with bank security types at last year’s Information Systems Security Assocaition (ISSA) conference. “Their answer is to shift more responsibility on to their customers. They’ll lower fraud limits, the amount of stolen funds they’ll cover. They’ll make it harder for consumers to prove they were defrauded—and easier to say it was the customer’s fault.. You’ll have to prove that you kept your end of the deal by patching your system and so forth. Watch the terms of use for online banking. I think you’ll see changes.”

1 2 3 4 Page 3
Page 3 of 4
7 hot cybersecurity trends (and 2 going cold)