Cyber-Criminals Turn to Big U.S. Web Hosts to Spread Malware

Two studies, one produced by Cisco and the other by Solutionary, find that cyber-attackers increasingly use popular U.S. cloud services as a launching point for malware.

The stereotype may be that online attackers hide their operations on servers away from the mainstream Internet. But many attackers—like prudent business people—host their operations close to their targets and on well-known Web services, according to two studies published this week.

In its fourth-quarter 2013 Threat Intelligence Report released on Jan. 15, security services firm Solutionary found that the United States hosted 44 percent of all malware operations and that the top 10 malware-hosting ISPs—all large, well-known service providers—accounted for 29 percent of all malware. The data suggests that large hosting providers, such as Amazon and GoDaddy, offer benefits for not just legitimate businesses, but for the bad guys as well, Rob Kraus, Solutionary's director of research, told eWEEK.

"It is not a surprise that any particular cloud provider is hosting malware," he said. "Anything that is created with good intent can be used for malicious intent."

Examples of the strategy have already been noted by security professionals. Since May 2013, a hacking group has used Amazon's EC2 cloud to host servers from which they scraped data from hundreds of thousands of LinkedIn accounts, according to a lawsuit filed by LinkedIn and reported by Ars Technica. And in 2011, virtual servers based in Amazon's cloud were reportedly used to attack Sony and compromise the accounts of some 100 million Sony users.

Cloud providers excel at providing instant access to significant resources with just a valid credit card, allowing criminals to use a stolen account to gain access to a great deal of computing power for hours, and most likely days, before they are shut down—long enough to use the servers to spread malware.

Cisco found a similar trend in its 2014 Annual Security Report. Noting that the number of unique host addresses from which malware emanated dropped by about a third over the first nine months of the year, the Cisco study concluded that attackers were focusing on compromising a small number of more powerful Web hosts and hosting providers where they were concentrating their operations. Such compromises give attackers control over significant Internet resources, said Levi Gundert, technical leader for Cisco's Threat Research Analysis & Communications (TRAC) group.

"It's like they took a step back and saw that everything they needed to launch and scale attacks could be found at the core of the Internet with these large cloud providers," Gundert told eWEEK. "They have massive amounts of bandwidth, they have tons of hardware, and thousands of virtual Web servers."

To combat attackers' efforts, hosting and cloud providers should start initiatives that resemble the know-your-customer programs required of banks, Solutionary's Kraus said. The companies should periodically sweep domains against known malware distribution lists, check users' account information against domain-registration documents and establish limits on the automated registration of domain names.

Both reports flagged other trends as well. The exploitation of Java vulnerabilities was the most prevalent type of attack, according to Cisco. Meanwhile, Solutionary found that 58 percent of malware were HTML files and another 26 percent were portable executable files.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...