Amazon and GoDaddy malware hosting: How cyber-crooks are taking to the cloud

We love the cloud because it's easier to spin up a server to host a website or run a web application if someone else takes care of all the hardware tasks. Well, it appears criminals love hosting providers, too, especially Amazon and GoDaddy.

Cyber-criminals are using cloud computing for many of the same reasons legitimate businesses and individuals are, Solutionary found in its Fourth Quarter 2013 Threat Report (PDF). Criminals are also hiding their malicious activities behind the reputations of major hosting providers such as Amazon, GoDaddy and Google. In fact, of the major web hosting providers out there, Solutionary found that Amazon and GoDaddy were the most popular for hosting malware.

"Now we have to maintain our focus not only on the most dangerous parts of the web but also on the parts we expect to be more trustworthy," said Rob Kraus, director of research in Solutionary's Security Engineering Research Team.

Why the cloud?

Shifting to the cloud makes a lot of sense, since it is quicker to develop a malicious site and bring it online, as well as cheaper to repeatedly change IP addresses and domain names to avoid detection. Criminals can use multiple providers and expand their operations substantially, rather than trying to set up physical web servers in multiple locations. For example, the report found a single malicious domain which was spread across 20 countries, 67 providers, and 199 unique IP addresses to avoid being detected or blocked.

Malware distributors are "utilising the technologies and services that make processes, application deployment and website creation easier," Kraus said.

Criminals also cover their tracks better and have a higher degree of success if they rely on major hosting providers. Considering that organisations frequently filter out traffic using geographic blacklists and lists of known bad IP addresses, criminals need someplace "safe" that won't automatically trigger an alert. This is where major hosting providers come in, as they allow malware distributors to set up shop within a trusted address space. Organisations which may block traffic from Ukraine are less likely to block traffic coming from Amazon and GoDaddy, for example.

Solutionary also pointed out that geographic blacklisting and blocking strategies are not effective methods to detect and block malware attacks, since 44 per cent of the world's malware is hosted within the United States to begin with.

Piggybacking on trusted brands

Hiding behind trusted domains and names is not something new, though. Spammers like using popular webmail providers because people automatically trust a message from @outlook.com or @gmail.com more than one from @50orcdn.com, for example. Attackers also use Google Docs and Google Sites to create forms that can trick users into submitting sensitive information or downloading malware. In the past, cloud storage providers such as Dropbox have been plagued with criminals taking advantage of free services to host malware.

Because of Amazon's immense size, it makes sense that it is hosting more malicious sites than its competitors. Regardless, it's clear that attackers are increasingly treating hosting providers as "significant distribution points," Kraus said.

In Solutionary's report, the researchers found that attackers are either buying services from major hosting providers directly, or compromising sites already being hosted on these platforms. The users generally don't know how to take steps to harden their applications, making them vulnerable to attack. Some providers, such as Amazon with its Elastic Cloud Compute (EC2) service, charge on the actual bandwidth being consumed. This means criminals can set up the campaign on a small scale first, and then expand as necessary.

"The more lucrative the criminal activity, the more funds will be available to pay for the increasing capacity as it is needed," Solutionary noted.

Most cloud providers – especially Amazon – have security policies in place to shut down malicious sites and accounts as soon as they are detected. However, when the provider is huge, with hundreds of thousands of servers and thousands of users firing up new applications each month, this is a challenging task. As a result, you should not just assume that traffic coming from certain sites is automatically safe, or count on the providers to police the activities. It's your responsibility to practice safe computing by keeping your computer secure, and to scrutinise each site to figure out whether or not it is legitimate.