Amazon Cloud Used To Steal Financial Data10:32 AM EST Mon. Jun. 06, 2011
Amazon Web Services (AWS) cloud is host to malware that is used to steal financial data, security researchers have discovered.
According to Kaspersky Lab Expert Dmitry Bestuzhev, Amazon's cloud features numerous pieces of malware that can pilfer financial data. The uncovering of cloud-based malware comes as cloud security remains a key consideration for cloud computing services.
"There were some recent comments about Amazon cloud as a platform for successful attacks on Sony …," Bestuzhev wrote in a blog post highlighting the Amazon malware. "Well, today I found that Amazon Web Services (Cloud) now is being used to spread financial data stealers."
Bestuzhev said his research found that the cybercriminals behind the cloud-born attacks are from Brazil and that they used several previously registered accounts to launch the infection. Bestuzhev wrote that he warned Amazon of the malware and waited an additional 12 hours, yet the malicious links were still online and active.
The discovery of malicious code on Amazon's cloud comes as Amazon is also implicated in the recent hacks against Sony's online offerings. According to several reports, hackers used Amazon's Elastic Compute Cloud (EC2) cloud service to launch one of the several attacks on Sony's online entertainment network in April and May.
According to Bestuzhev, the Sony attacks and the recent malware are indications that more cybercriminals are using legitimate cloud services to carry out malicious attacks.
The recently discovered financial data-stealing malware takes several forms and all of it is dropped onto victims' machines and acts in different ways, Bestuzhev wrote.
In one method, it acts as a rootkit and looks for and denies execution of four different anti-viruses and a special security application called GBPluggin, which is used by many Brazilian banks for online banking. The malware can steal financial information from nine Brazilian and two international banks; steal Microsoft Live Messenger credentials; steal digital certifications used by eTokens in the system; and steal information about the CPY, volume hard drive number, PC name and so on, information that is used by some banks during login for authentication.
The Amazon cloud-based malware exfiltrates the stolen data in two ways; one via email to the cybercriminal's Google Gmail account and the other via a special php that inserts data to a remote database. Additionally, Bestuzhev said, the malicious samples are protected by a legitimate anti-piracy software called The Enigma Protector, which the criminals used to make it harder to reverse engineer the processes.
Bestuzhev said the discovery is a sign that criminals will continue to find ways to leverage the cloud to launch attacks and that cloud providers should up their security game.
"I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks," he wrote. "Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud."