February: Access
What Don Jackson found when he followed Gozi back to the RBN server was called 76service.com. The home page was pretty and simple, just a stylized login box.

But how this service worked wasn’t yet clear, so Jackson went undercover. On carders forums, the online hangouts for people who run credit card rackets, he found some members who knew about Gozi and 76service. He recognized their avatars—online personas usually marked by a picture that gets posted with their comments on discussion boards—as ones that belonged to members of the HangUp Team. “It confirmed to me they were involved,” Jackson says, “but how still wasn’t clear. For all I knew, they just sold the bot to someone.”

In response to requests he posted, one of these HangUp Team members e-mailed Jackson at an anonymous safe-mail.com account. The e-mail told Jackson to log on to a specific IRC chat room with a specific name at a specific time. Jackson, using a machine configured to hide its location, did so.

The room was virtually crowded. “I get there, and there’s lots of conversation. Lots of Russian that’s flying by me,” Jackson says. Everyone spoke freely. Jackson did not sense any fear of law enforcement, or curious researchers, snooping. . In fact, Jackson thinks that a kind of show bidding was taking place. The channel moderator was offering preview accounts to 76service such that the users could tour the site. The hope was they’d come back saying Pesdato! and offer a good price for access.

Jackson asked if he could take a test run, too. If he seemed nervous and unpracticed about doing business here, it was because he was. “The moderator says, ‘You don’t speak Russian. Where are you from?’ I say, ’The UK.’ He says, ‘Only people we know get test runs.’” A few others derided Jackson for his ignorance and, in so many words, told him to go away. And that was that.

Plan B: Jackson called on a friend who followed the HangUp Team closely, almost the way a CIA analyst builds up expertise. He figured this friend may know how to get access. It was a stab in the dark but remarkably it worked. One colleague knew all about 76service, which he said had been online for several months, and he lent Jackson login credentials to 76service.com.

The 76service Business Model
When Jackson logged in, the genius of 76service became immediately clear. 76service customers weren’t weren’t paying for already-stolen credentials. Instead, 76service sold subscriptions or “projects” to Gozi-infected machines. Usually, projects were sold in 30-day increments because that’s a billing cycle, enough time to guarantee that the person who owns the machine with Gozi on it will have logged in to manage their finances, entering data into forms that could be grabbed.

Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found.

A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves).

Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another.

Grabbing forms provides several advantages to both buyer and seller compared with the old model of pulling account numbers out of databases and selling them. For the seller, it’s safer. He becomes a broker; a middle man. He barely handles stolen data. For the buyer, it’s the added value of an identity compared to a a credential. For example, a credit card number alone might be worth $5, but add the three- or four-digit security code associated with that card and the value triples. Add billing address, phone number, cardholder names and so forth which allow a buyer to create new lines of credit and the value can reach into the hundreds of dollars.

Grab the primary and secondary authentication forms used for financial services login in addition to all that, and you’ve hit the jackpot: a real person’s full financial identity. Everything that person had entered into forms online would create an avatar that could be used in the real world to buy goods, apply for credit and passports, buy cell phones, open new bank accounts and manipulate old ones. A dossier like that would be one of the most valuable commodities available on the information black market.

That’s why the subscription prices were steep. “Prices started at $1,000 per machine per project,” says Jackson. With some tinkering and thanks to some loose database configuration, Jackson gained a view into other people’s accounts. He mostly saw subscriptions that bought access to only a handful of machines, rarely more than a dozen.

The $1K figure was for “fresh bots”—new infections that hadn’t been part of a project yet. Used bots that were coming off an expired project were available, but worth less (and thus, cost less) because of the increased likelihood that personal information gained from that machine had already been sold. Customers were urged to act quickly to get the freshest bots available.

This was another advantage for the seller. Providing the self-service interface freed up the sellers to create ancillary services. 76service was extremely customer-focused. “They were there to give you services that made it a good experience,” Jackson says. You want us to clean up the reports for you? Sure, for a small fee. You want a report on all the credentials from one bank in your drop? Hundred bucks, please. For another $150 a month, we’ll create secure remote drops for you. Alternative packaging and delivery options? We can do that. Nickel and dime. Nickel and dime.

Next: Part Two: Hacker Economics 2: The Conspiracy of Apathy details a game of cat and mouse between 76service and law enforcement, and examines why financial institutions have been slow to respond to the new threat model.