Gozi B-Side: Amit Serper & Sam Curry

Nate Nelson speaks with Amit Serper & Sam Curry, notable veterans in Cyber Security, about Malware-As-A-Service, bullet-proof hosting, avoiding the lure of the 'dark side' and more.

Hosted By

Nate Nelson

Senior Producer

Host of 'The Industrial Security Podcast', and 'Pivoting to Blockchain' podcast. Producer of 'The Adventurous Teacher' podcast. Contributor to 'Curious Minds', 'Waterline' and 'Making History' podcasts.

Special Guest

Amir Serper

Head of security research, Nocturnus group at Cybereason

Security researcher. Served for 9 years in the Israeli Army and Government, received two commendations and several certificates of excellence, Now working in an awesome startup - loves solving problems with good and talented people and innovating in the security research field.

Sam Curry

Chief Security Office at Cybereason

Sam Curry, Chief Security Officer, is an IT security visionary with over 20 years of IT security industry experience. Sam served as Chief Technology and Security Officer at Arbor Networks, where he was responsible for the development and implementation of Arbor’s technology, security and innovation roadmap. Previously, he spent more than seven years at RSA (the Security Division of EMC) in a variety of senior management positions, including Chief Strategy Officer and Chief Technologist and Senior Vice President of Product Management and Product Marketing. Sam has also held senior roles at Microstrategy, Computer Associates, and McAfee.

Episode Transcript:

Transcription edited by Antariksh Jagdishprasad Bargale

[Nate] Hello and welcome to Malicious Life.
My name is Nate Nelson. I’m senior producer on our show. I’d like to introduce you guys to a new segment of our podcast that we’re calling B-Sides. Many of you have been asking for more security context to the stories we hear on Malicious Life. So each B-Sides episode will bring you an expert or a number of experts to talk in more technical detail and provide some modern context to the stories that you’re hearing.
Think of it as a sort of behind the lyrics of our podcast. This week, I talked to experts about Gozi, the malware that ushered in crimeware as a service developed by a Russian teenager in 2006. With me were Amit Serper and Sam Curry.

[Sam] My name is Sam Curry. I’m the chief security officer for Cybereason.

[Amit] My name is Amit Serper. I’ve worked for the Israeli government for many years and for the past five years I’ve been working at Cybereason.

[Nate] All right, Amit. My first question is about banking malware. Today it’s highly sophisticated. It can replicate your bank’s website and replicate essentially the entire user experience. Has it always been this sophisticated? How has it changed over the years?

[Amit] So banking malware has been, again, it’s something that developed along with how sophisticated the banking system itself became. So, at the beginning, banking websites used to be fairly simple and there were nothing that’s more complicated than any other website that requires authentication. Once the banks started picking up on tech and they changed the websites to be more secure and more sophisticated and they started to require two-factor authentication in some cases, so as the banking industry became more tech aware or more security aware, so did the attackers. They had to basically adapt and they had to make their tools more sophisticated as well. So it’s sort of like a cat and mouse game just like with anything in security.

[Nate] So Amit, the characters in our story took advantage of the American banking system. For instance, they were able to build programs that nearly identically copied popular banks websites and where European banks generally required two-factor authentication for wire transfers, American ones did not. This meant that when a Gozi hacker stole somebody’s personal information, there was nothing stopping them from immediately siphoning off huge amounts of money. So my question to you is, are we better protected against these kinds of gaps today? What does the threat landscape for bank hacks look like nowadays?

[Amit] So banking trojans, and I have to say, first of all, that thing you said about two-factor authentication about banks in America is something that is true and correct until this very day. I live in America. I’m in one of the largest banks in America. I’m their customer and I don’t have the ability to turn on any two-factor authentication and this is November of 2019. As for the threats themselves, I’ve seen malware samples, and I think it was back in 2010 or 2009, that was able to basically display, to mimic the bank website completely and show the user a screen that requires two-factor authentication.
So the user would get a legitimate two-factor text message with a few digits, which are the code, and then the user would put the code into the fake website and the attacker in real time would get that two-factor code and the attacker would actually log into the bank and siphon all the money out, while the user gets a fake website and still sees their own bank account as if nothing is wrong, while on the other side of the world someone is siphoning money out of there. So these are things that have been happening for years. It’s not something that’s new and it’s not something that is going to go away.

[Nate] All right, Sam. When Gozi was written over a decade ago, it introduced a new paradigm for how to make money off of cybercrime. Instead of writing a malicious program in order to carry out an attack, Gozi’s authors wrote a program that they then sold to other criminals, but they didn’t just sell it, they built out an entire online platform to service their customers. At the time, this seemed like the next revolution in cybercrime, but was it? It was a new paradigm for how to make money off of cybercrime, but was it? Is malware as a service popular these days at all?

[Sam] Malware as a service is hugely popular to the point where it’s not just done for profit. Sometimes nation-states stand them up in order to entrench themselves with the cybercrime element and frankly, backing for hire is available everywhere. The name of the game is Automation and this raises an interesting point.
I remember when Gozi came out, I was actually going between computer associates and RSA in the day and I remember this piece of research at the beginning of 2007. I remember digging into it because I was asking myself what might seem like an odd question at the time, which is I asked myself, why do bees die after they sting?
The reason this puzzled me was because it’s a strange thing to have evolve, the notion that an animal, its quote, defense mechanism would kill it. And the answer is not quite as obvious, but the bees have become highly specialized in many, many ways. But in fact, the hive effect is what’s important here. The survival of the bee’s DNA is what is served when it suicides, if it’s one of the species that dies after it’s sting. And the benefit is that the hive has a greater survival chance and therefore its DNA can continue, which is an interesting thought. And this got me thinking about hive effects, both in attack and in defense.
And I came to a few conclusions. This is true of language systems, it’s true of natural systems. The more specialized the roles are, the larger it is and the older it is generally. So in language systems, we see high degrees of specialization and drift as languages age and as they grow, as the number of speakers of it grow. The same is true in economics. If you see companies that have very specialized roles in a given industry, where I do this slice of the total value proposition and I have complex arrangements with suppliers and people up and downstream from me, you know it’s been around a while or it has a big presence. And the same is true of language systems. It has a big presence and the same had to happen on the dark side.
So yes, there was sophistication before that point, but the degree of specialization you get where you had some folks who had high risk and potentially high return, for instance, in cash out mechanisms versus those that wanted lower risk but had the brilliance to make some of the tools had to occur. And so you get an ecosystem emerging.
That’s a long way of saying that it is big and it has been around a while and specialization is an inevitability in any system like that. What it meant was the whole system was growing and getting older. And so this was a sign of coming of age of sorts. It wasn’t just Gozi either, there were others at the time. But other malware families were getting more sophisticated and were starting to see things like buying and selling code bases or coming to arrangements, you know, or seeing one particular one decide to get out of the consumer business and move on to the enterprise business or sell or do a relationship and do partnerships. This was maturing in the way you would expect to see in a normal industry. And it was kind of inevitable if the dark side was thriving.

[Nate] Amit, one of the keys to Gozi’s success was the bulletproof hosting that it rested on. So what is bulletproof hosting and what kind of advantages does it lend to cyber criminals?

[Amit] This is a service that you purchase with money. So if you want to host your website somewhere on the internet or you need an access to a server or like a virtual server or you have your own server that you want to put somewhere in like a server farm to connect it to the internet, and this is something that you have to pay for. This is a service that costs money. And as we all know, most of the transactions on the internet happen with like a credit card or a bank transfer or something that can be tied back to a person, to a user, to a name, to an address. With bulletproof hosting is a bit different because you still get all the service you need.
So if you need web hosting or if you need a physical co-location for your server or whatever, you get the exact same thing only they don’t want to know your name or you have to pay them only with bitcoin or there’s actually a place, I think it’s in the Netherlands or in Germany, it’s in one of those countries. You can go and google it. They’re called cyber bunker. It’s actually a bunch of people that acquired, like they bought an old army bunker and they turned it into like a server farm. And one of the payment methods that they accept is you need to drive up there and give them cash. There’s a small mailbox next to the gate and you put an envelope with money in there and you drive away and they don’t know who you are, they don’t know where you’re from, but they will provide you service and if something goes wrong, nothing points back to you.
So bulletproof hosting is basically the ability to be able to purchase a service on the internet, like a hosting service, but do it in a way that’s like almost completely anonymous to the point where if something goes wrong, nothing leads back to you. And obviously attackers and especially attackers that run banking campaigns, they love it because if something goes down, if they have a big operation that one of the authorities is going after, it’ll be very very very very difficult to trace it back to them.

[Nate] So Sam, in the course of our story, a pattern came up which was that Russian hackers were not ever really held to account for their actions by their government. The only Russian national to be arrested only got arrested because he traveled to the US on vacation. Is it possible, I ask you, that the Russian government benefits from turning a blind eye to cybercrime? I mean it seems advantageous to them in a way to have talented young people hacking western companies. Does this sound like conspiracy theorizing to you?

[Sam] It’s a real thing. And by the way, it’s exactly the same as their copyright rules. Copyright rules in Russia are very different from how they are in the rest of the world and this is designed to give an unfair advantage to businesses locally and as you say to create local talent pools and activity. But let’s be clear here, the more hacking happening, the more confusion in the world, the more distractions there are to prevent them being detected with their legitimate operations and the more options they have available.
If there’s a rich and vibrant ecosystem on the dark side with pockets of safety where they can store money, do transactions, they can hide in the gray areas of regional law or the outright bizarre areas of regional law, then that encourages a larger ecosystem. In effect, it’s not just helping Russia directly, it’s helping it indirectly by creating many more places to hide, many more talent pools and many more distractions as well as maturing the overall ecosystem’s technical capability.
We just spoke about hacking as a service or exploits as a service. It’s a richer pool that’s producing more that can later be used. In business, we call it optionality. In the dark side, it’s the exact same thing. There’s purpose behind this and it’s geopolitical and it’s economic and it’s also part of the national mandate. We see it, we see the same attitude in their copyright laws. We see them in many other dimensions. They seek to be a world parent to do that. They’re going to maximize the use of the cyber tool.

[Nate] Sam, my last question to you, you’ve encountered plenty of hackers in your day. One theme that we explore in our episodes is how somebody becomes a hacker rather than say a cybersecurity expert like yourself. I’m wondering, how young were you when you decided to go into cybersecurity? Did you ever flirt with the idea of using your skills for evil and if not, what do you think makes the difference between someone like yourself and someone like the characters in the Gozi story? Is it innate to who you are or the people who you grew up around or what?

[Sam] That’s a very good question. My dad’s a rebel. He always has been. He’s also a computer scientist and I think he always has been, certainly longer than I’ve been alive. He was doing computer science in the 50s and 60s. So, I always grew up knowing this, but my father used to tell me amazing stories. He told me once because he was the head of computer science at the University of Quebec and head of mathematics. He told his students, I don’t want to get him in trouble, but he told them that if they could break a system, they would get an A in a few different instances, meaning that even though we didn’t teach, say, security in the same way we do today, and there were certainly examples of secure operating systems like Multics and things way back in the 70s, he was aware that even if he was aware that understanding the shortcomings and the boundaries of a system was integral to understanding how to build the system. And so, that was always around me.
But I have to say, I didn’t think of it as doing it for good or evil with a capital, like capital G good or capital E evil. I wanted, at one point, I wanted to play a game. I wanted to play Rogue, which was an ASCII based adventure game. And I was like, I’m going to get on this system to do it. And I think I was 11 at the time. I got in trouble for it. I got in trouble for a few things, you know, things I did with my Apple IIEs way back. And I had a, of course, I didn’t have a Trash 80, but I had a TN99.
And I loved finding ways to break things and make them stand on their heads. But this was mischief. This wasn’t like evil. And every time I crossed that boundary a little bit, I was fortunate that the system around me said, you shouldn’t do that. You shouldn’t do that. Later, I wasn’t really seeking to get into security. I actually wanted to get into biotech. This was mid 90s when I came back to security. I had played with it early on with cryptography and cryptanalysis. And I called a friend of mine said, hey, you know, your brother’s is an investment on the west coast, which was really looking heavily at biotech. Does he have anywhere that I could try to get into? And in talking to this colleague of mine, a gentleman named Phil Adfield, he said, why don’t you come work for me? And I wound up getting pulled in.
So I never had a lure of the dark side from a commercial perspective in the mid 90s. I had a chance to be part of something that was super cool, doing a good job. And I have to say, doing a good job for the public. In ’98 was a similar moment for me. And I think this is where I got the bug. I encountered, we were building private key VPNs in those days, which was quite a big deal. And we did the first commercial implementation of blowfish and things like that, which was Bruce Schneier’s symmetric algorithm.
And a customer asked us, he said, hey, could you help me telecommute? I said, what’s that? This was a government show. He said, well, I live off in the middle of nowhere. And I don’t want to come to work in a snowstorm. He said, could you help me connect from remote? And I said, sure, we’ll put a server at your site and you can connect server services. No, you don’t understand. I want to use it just my Windows system. And I thought about it and it seemed crazy. And I spoke with a gentleman named James Graham, who was brilliant as a Windows developer. I thought, why would somebody want to take Windows 95, later 98 SE and connect it to this super powered VPN? And in so doing at Signal 9, we wound up inventing the first personal firewall. A few other people make the same claim. It’s all about the same time. But that was a big moment for me. But the moment that I felt really all in was there was a website for people who had mental handicaps or challenges. And hackers were cutting their teeth, attacking them because they didn’t understand what was happening to them. So here was the web and the internet being used as tools for helping those who were unfortunate and really were trying to interact with the world in new ways. And they were the victims. And in those days, even though we don’t talk about it, there was a sort of unwritten code.
You know, this is in the days of call to the dead cow and back orifice and things. You didn’t attack what we would now call muggles using Harry Potter terms. Harry Potter wasn’t around then either. You didn’t use your powers for evil against them. It was okay to attack the man. It was okay to go after government. It was okay among the bad hackers. It was okay to go after other hackers. It was not okay to attack innocents. For all that there was cybercrime going on, this was particularly disgusting. And I remember in that moment, I sort of went, okay, yeah, this has to stop. And then I never was lured by the dark side as a result.
Hopefully that answers the question. But it was a big moment for me to say, no, this could turn into something that could attack many more people and do really bad things. We should try and stop that.

[Nate] And that’s it. A quick note, our next Malicious Life episode will be about cyber insurance. If you have any questions about cyber insurance, reach out to at Malicious Life on Twitter, and we might pose it to the experts on our next B-side episode to see what they have to say. I’m Nate Nelson. Thank you for listening.