Can cloud services become credit-card botnets?

Clarifying issues surrounding this emerging security architecture

Attackers have used public cloud computing infrastructure to lay the groundwork for attacks, a security researcher has found based on consulting with his business customers.

Port scans of corporate networks have been traced to IP spaces owned by cloud service providers, and such scans are typically precursors to attacks, says Nitesh Dhanjani, a senior consultant at Ernst & Young. He would not say which providers were involved.

Attackers trolling for vulnerable networks can buy cloud-based computing infrastructure with stolen credit cards and run their scans, he says. If the provider finds out and shuts down the activity, the attackers can buy more computing infrastructure with another stolen credit card until they get caught again, and so on.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Attackers have used public cloud computing infrastructure to lay the groundwork for attacks, a security researcher has found based on consulting with his business customers.

Port scans of corporate networks have been traced to IP spaces owned by cloud service providers, and such scans are typically precursors to attacks, says Nitesh Dhanjani, a senior consultant at Ernst & Young. He would not say which providers were involved.

Attackers trolling for vulnerable networks can buy cloud-based computing infrastructure with stolen credit cards and run their scans, he says. If the provider finds out and shuts down the activity, the attackers can buy more computing infrastructure with another stolen credit card until they get caught again, and so on.

“You shut it down and the person keeps coming back. You need external help to play that whack-a-mole game,” Dhanjani says.

Dhanjani says that is apparently what happened in the case of his clients. Companies whose intrusion detection systems discovered port-scanning against their networks and traced the source of the scans found they led to public cloud services providers.

The service providers involved responded by quickly shutting down the attacking accounts, but he recommends that they adopt some new policies to help combat this type of abuse.

= Providers should have a hotline to field calls about suspected malicious activity. Dhanjani says his clients found it difficult to find the right person within the service providers. The only readily available number to call was the help desk for customers, not for non-customers trying to raise he alarm about scans.”It’s a bureaucratic hurdle,” he says.

= Consider eliminating the credit card model. “You can’t see, in many cases, the difference between buying a $5 item on the Internet and the process of buying a service that supports 500 virtual machines,” he says. The problem could be reduced if customers and providers enter into a trusted-partner relationship to eliminate the anonymity of the credit card model.
Many attackers use botnets from which to launch attacks, he notes, but could do so without botnets if they follow the credit-card model he describes.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.