Fraud 4ever
“The thing about MPACK,” says James, “this is the start of the whole thing.” By this he seems to mean that Golden Age of Internet Crime, that dawning era. “They’re starting to think like architects instead of engineers.” MPACK brings together the best iFrames, the best exploits and some state-of-the-art malware into a single package all of which is being improved constantly, and sold with a focus on customer service. In marketing parlance, it’s not a product, it’s a solution.

Business is good. Internet criminals operate with de facto immunity. The pool of vulnerable computers to exploit remains massive. The target financial institutions still treat their crime as acceptable loss. Law enforcement is otherwise occupied. And technical defenses are mere market conditions to adapt to. For example, when some clever banks came up with a way to beat keylogging by having users use “virtual keyboards” on the screen, criminal hackers just developed Briz, code that captures the pixels around the cursor, the pictures of the characters being typed. Problem solved.

The criminals innovate. Some tactics will make the hair on your neck prickle. Rumors persist of a nasty Brazilian banking Trojan that can change banking account numbers, routing numbers, balance, and payment/transfer values by injecting HTML or even whole, cloned HTTP requests into an online banking session on the fly, such that the person banking would see false information that reflected their intentions and not the actual transfer. Chris Rouland of IBM has seen similar functionality in a bot called Grams.

Prg, another form-grabbing Trojan discovered last October, makes researchers awfully nervous. New variants emerge every couple of months and managed to steal tens of GB of data before being detected. Its encryption is strong and well-designed, its ability to hide itself with anti-forensics deft.

In June, Don Jackson found a new Prg variant. It shipped with a development kit which allows anyone who buys it to adapt the code on the fly in order to evade anti-virus and anti-spyware. On the server where he found it, he also found a staging area where new variants were already developed and waiting to be released as soon as the defenses recognized and blocked the current variant. He also found a couple of drops for two different groups who had bought Prg and distributed it through both iFrames and some good old-fashioned “click-on-this-link” emails. The drops comprised 10,000 account credentials, including second factors of authentication and answers to those security check questions like your mother’s maiden name meant to layer extra security into the online banking process.

“There’s a consumer side of me that says, Be cautious but life must go on. Someone somehow will take care of this,” says Christopher Hoff. “And the security side of me wants to curl up in the fetal position and not go out.”

After Jackson discovered the Prg variant, he learned of two more Gozi variants found in the wild. The EXE inside these versions is called 76.exe, and is probably the product of 76’s reunion with the HangUp Team. It’s pesdato! It has vastly improved its server network and obfuscation techniques. It bounces traffic from country to country. It hides its drops well. In fact, Jackson’s not sure what it even connects to. He’s looking for the front end, the next 76service. He knows it’s out there. But so far he can’t find it.