Cybercriminals: Smarter Than Your Average Hosting Provider?

Large cloud providers with deeper pockets have the resources to ferret out hijacked accounts and block attempts to set up the command and control servers, but smaller providers often lack the means to monitor systems and prevent account fraud.

Security experts tell CRN that account fraud and account hijacking at cloud hosting providers is a common headache for security professionals who trace malicious traffic back to their source. Smaller firms lack the ability to put robust Web filtering in place and, for those that make the attempt, there often is not enough personnel to closely monitor the appliances. Others fail to support two-factor authentication or put in place mechanisms to prevent brute-forcing attempts on legitimate accounts.

Yet, in most cases, all an attacker needs to do is set up an account using a stolen credit card, said Barton Pesavento, director of product management at XO Communications. At a recent cloud summit held by managed security service provider StillSecure in Boston, Pesavento told CRN that fraudulent activity on hosting provider systems is very common.

"We're talking about a lot of hosting providers with a lot of different interests and customers," Pesavento said. "Cloud in many ways has become very much like a utility managing a public water supply."

[Related: Cloud Hosting Providers Must Defend Against Attacks (Video) ]

Cybercriminals often rely on hosting providers' lenient terms of service to use as a staging ground for attacks. In 2009 upstream providers cut off service to hosting provider McColo, resulting in a drop, albeit temporary, in global spam levels. But the problem also plagues larger, well-established providers that are watchful over account fraud, including Amazon Web Services and Rackspace.

Companies such as XO Communications that offer robust hosting services do monitor for malicious activity, but even they face constant problems. Antispam and antimalware vendor AppRiver, which also provides a secure business email hosting service, has had some of its customers that use its IP address space get temporarily blacklisted as a result of an account hijacking or malware infection.

Fred Touchette, a senior security analyst at AppRiver, said policing valid accounts is a demanding job, even for the most vigilant providers.

"It has happened because someone might get an infection and start blasting data out of the network," Touchette said. "A lot of these kits have the capability to scramble the code and temporarily get past filters, but that's where behavioral analysis comes into play."

NEXT: Security Technologies Address The Problem

Many attacks are driven by automated toolkits in the hands of cybercriminals, Touchette said. Black Hole, an automated crimeware toolkit that drives many of the attacks targeting Java, Adobe and Microsoft Office vulnerabilities, comes with a subscription for new exploits and encryption mechanisms that shield malware from being detected. Whole spam botnets -- an army of zombie computers -- can be rented out to the highest bidder, giving cybercriminals the ability to sharpen their target to people in a specific country. Despite the rhetoric about cyberwarfare and targeted attacks from China, security experts admit that the vast majority of cybercrime is from financially motivated cybercriminal gangs.

"I think we're all fighting the same fight," Touchette said of cloud hosting providers. "I think phishing is an easy way to make steady money and it works. The first thing they do is get a foothold and start stealing cookies, passwords and browser histories."

Network filtering technologies can be deployed by hosting providers that go beyond SMTP proxies with limited capabilities, said Kevin San Diego, a product manager at Cloudmark, which provides carrier-grade content filtering to ISPs and hosting providers. Appliances from Cloudmark, Blue Coat, Websense, McAfee, Symantec and other security vendors can be configured to inspect traffic for signs of spam, malware and volume fluctuations that could signal a potential problem. Systems available to providers typically have mechanisms to alert, throttle down accounts or shut them off completely to investigate incidents without impacting other networks that aren't exhibiting malicious behavior.

"There are huge problems with fraudulent sign-ups," San Diego said. "Even after a problem is detected and is shut down, that IP address reputation sticks around for a while and IP address is blacklisted and any other subscribers will have problem sending transactional messages."

Eric Montague, president of Salt Lake City-based MSP Executech, said more than half of his firm's email is spam. The pesky messages often push imitation pharmaceuticals and pornography, but malicious attachments spread data-stealing malware, keyloggers capable of recording keystrokes, or remote access Trojans (RATs) that give cybercriminals a backdoor into an infected system. A simple, but effective phishing message with a document file attachment that contained embedded malware cost one client $15,000 to clean up in a single day, Montague said.

"People are becoming more militant about making sure the servers are locked down, but incidents are taking place with more frequency because it's not just a technology problem, there's a human factor as well," Montague said. "Spam is now more than just a time-waster."

PUBLISHED MAY 30, 2013