The new Trojan was called Torpig. Its technical architecture and its service were nearly identical to Gozi and 76service, including links to RBN servers. But Torpig was engineered to target bank forms specifically—excluding less useful (read: valuable) credentials like email logins or logins for newspaper sites. Torping shipped with a database of financial Web sites’ URLs and when it recognized one of these URLs in the browser’s address bar, it woke up and added a redirect command to the URL.

Jackson says that intelligence suggested that the criminals had set up real accounts at the banks on Torpig’s hit list and then captured their own legitimate transaction traffic to see what “normal” transactions looked like at each bank. This way, they could tailor each banks’ redirect command to mimic a normal transaction, so that filters wouldn’t register anomalous activity. Jackson called it “Gozi on steroids.” It has proven much more problematic to researchers, banks and law enforcement. Shutting it down has been far more difficult than taking out Gozi, too, because Torpig communicated with a network of servers. Gozi had only connected to the one RBN server.

That is, until March 21, when 76service was discovered back online, running off of a new server in Hong Kong. By March 27, Jackson had confirmed that it used a new variant of Gozi, undetected by filters. It was the “spring edition.”

Distributed Pain/Concentrated Gain
The HangUp Team’s online art gallery is populated with a disturbing mishmash of images and messages like “Fraud 4ever” and “In Fraud We Trust” (One picture, for example, combines a picture of Hitler, a Cannibas leaf and the head of Eugene Kaspersky, who owns a Russian-based anti-virus company, on a platter.) And yes, pictures of its members often include what have come to be hackneyed criminal hacker clichés, with members posing with their cash, for example.

But do not mistake this culture for incompetence. HangUp Team is one a number of highly successful businesses that some researchers claim earn their members millions of dollars per month. “As a security professional you don’t want to say you’re impressed by them,” says “John” (not his real name), the security professional at a large bank who agreed to talk only if he could remain anonymous, because he didn’t have permission from his bank to speak. “But they’re better run and managed than many organizations. They’re properly funded, they have a clear goal, they’re performance driven, focused on a single mission. It’s like an MBA case study of success.”

There are two key tenets underscoring that success: Distributed pain with concentrated gain, and distributed risk.

The more important of these is distributed pain with concentrated gain. The massive size of the market that Internet criminals prey on allows them to spread losses across hundreds or thousands of victims. “If you take $10 off of 10,000 credit cards, you’ve made $100,000 that no one victim either recognized or felt enough to care,” says Jim Maloney, a former CSO at Amazon.com who now runs his own security consulting firm. “Then scale that up to five different banks’ credit cards.” Each bank loses rougly $20,000. “The gain is concentrated for this one hacker group but the penalty to each bank is still written off as acceptable loss.

“Then go to law enforcement. Unless they hear from many victims and can aggregate the problem as one big one, so that the resources required to chase it down are justified, they won’t, they can’t chase it down.”

And if they did decide to open an investigation, who do they go after? That’s the distributed risk element. Groups like the HangUp Team, and 76 himself, deal in access to credentials. 76, for example, barely handles stolen data. He also contracts out the distribution of his malware. And he sells to people who themselves don’t commit fraud with the credentials but usually turn around and sell them to still others who actually commit the final fraud by turning stolen information into money and goods.

That’s several links in a supply chain all sharing the risk (It’s instructive to note that, according to several researchers, one of the biggest frustrations for groups like HangUp Team recently has been “newbies” to the credentials market who buy a credit card and immediately rack up tens of thousands of dollars in luxury goods on that card—essentially concentrating the pain and raising a red flag that can threaten to put the good guys on the scent. It’s reminiscent of the movie Goodfellas, when, after the Lufthansa heist, Robert DeNiro’s character nervously castigates his crew for bringing attention to themselves by showing up at a Christmas party with new cars and furs.)

The Internet criminals’ model perfectly mirrors the drug cartel model, which relies on a stratified market that spreads the risk out to pushers, distributors, mules, manufacturers, and all the money flows up, to the cartel. Disrupting the middle men—and that’s what HangUp Team is becoming—doesn’t solve the problem. Other middle men will simply arise to fill the void, much the way Smash started the IAACA to fill the void left by ShadowCrew when it was taken down.

“Information is currency, that’s the radical change,” says Chris Rouland, CTO and IBM Distinguished Engineer with IBM’s Internet Security Systems group. “These guys don’t need to steal from anyone. They’ve moved themselves way up the value chain.”

Next: How hackers use iFrames to distribute malware.