Large cloud providers with deeper pockets have the resources to ferret out hijacked accounts and block attempts to set up the command and control servers, but smaller providers often lack the means to monitor systems and prevent account fraud.
Security experts tell CRN that account fraud and account hijacking at cloud hosting providers is a common headache for security professionals who trace malicious traffic back to their source. Smaller firms lack the ability to put robust Web filtering in place and, for those that make the attempt, there often is not enough personnel to closely monitor the appliances. Others fail to support two-factor authentication or put in place mechanisms to prevent brute-forcing attempts on legitimate accounts.
Yet, in most cases, all an attacker needs to do is set up an account using a stolen credit card, said Barton Pesavento, director of product management at XO Communications. At a recent cloud summit held by managed security service provider StillSecure in Boston, Pesavento told CRN that fraudulent activity on hosting provider systems is very common.
"We're talking about a lot of hosting providers with a lot of different interests and customers," Pesavento said. "Cloud in many ways has become very much like a utility managing a public water supply."
Cybercriminals often rely on hosting providers' lenient terms of service to use as a staging ground for attacks. In 2009 upstream providers cut off service to hosting provider McColo, resulting in a drop, albeit temporary, in global spam levels. But the problem also plagues larger, well-established providers that are watchful over account fraud, including Amazon Web Services and Rackspace.
Companies such as XO Communications that offer robust hosting services do monitor for malicious activity, but even they face constant problems. Antispam and antimalware vendor AppRiver, which also provides a secure business email hosting service, has had some of its customers that use its IP address space get temporarily blacklisted as a result of an account hijacking or malware infection.
Fred Touchette, a senior security analyst at AppRiver, said policing valid accounts is a demanding job, even for the most vigilant providers.
"It has happened because someone might get an infection and start blasting data out of the network," Touchette said. "A lot of these kits have the capability to scramble the code and temporarily get past filters, but that's where behavioral analysis comes into play."
NEXT: Security Technologies Address The Problem