Cybercriminals Are Picking On U.S. Cloud Hosting Providers


Both Landsman and Monnier pointed to the increasing strength of Distributed Denial of Service attacks as a sign that cybercriminals are successfully controlling more infrastructure at cloud hosting providers. Some cloud providers typically monitor for abuse and shut down accounts that violate terms of service, while some just look the other way, say security experts, taking action to shut down accounts only when a subpoena is served by law enforcement.

DDoS is largely common in the Northern Hemisphere, with Brazil and Australia seeing the fewest signs of attacks. Attack traffic from the U.S. is six times higher than anywhere else in the world, Monnier said. Even as companies such as Amazon Web Services and Rackspace aggressively weed out fraud and throttle back accounts that show signs of problems, attackers still find a hefty return on investment, he said.

"You can move your command and control servers to Kazakhstan, but that's not a very good business decision," Monnier said. "The U.S. has redundant power, high availability and great peering; these are things all these guys are looking for."

Team Cymru's analysis of infected systems that serve botnets found that more than 90 percent are workstations and laptops. There were few mail servers and name servers, Monnier said.

Monnier described a targeted campaign on a large company in which the attackers set up a watering-hole-style attack on a sports league fantasy site, knowing that a large number of employees visited it daily.

"They put an exploit kit on the fantasy sports league site and that site never prepared for an attacker that wanted to get its own customers," he said. "They are after business plans; they are after any type of information that can further someone's investment decisions."

PUBLISHED JUNE 11, 2013