14 DAY TRIAL // Security researchers warn that cybercriminals are increasingly abusing Amazon's Web Services (AWS) to host malware, particularly banking trojans and exploit kits.
The use of free hosting services for malicious purposes is extremely common. We previously reported about spam, phishing and malware distribution pages being hosted on Google Docs, ImageShack, SourceForge and even My Opera.
But paid services are not free of this type of abuse, not even the more expensive ones like Amazon's cloud platform.
Back at the beginning of June, security experts from Kasperky Lab found Brazilian banking trojans being distributed from the Amazon Simple Storage Service (S3).
Then, at the end of July, the company's researchers spotted variants of SpyEye being hosted on the same service. "According to our research, cybercriminals have been running SpyEye activities and from Amazon for the past couple of weeks," Kasperky's Jorge Mieres announced at the time.
Setting up AWS accounts requires real names and legit payment methods, but cybercriminals can easily overcome this hurdle by using stolen identities or AWS credentials.
"Data shows that Amazon cloud services were abused heavily this month to spread malware," Mieres said. "This trend clearly represents a critical point for online storage services and requires special treatment," he concluded.
Security researchers from antivirus vendor Trend Micro have also confirmed this trend. Last month, the company has collected 22 MB-worth of malware samples from AWS. "We have recently seen about 30-50 various subdomains and specific URLs created on AWS which appear to harbor malicious content," says Trend Micro's senior threat researcher Paul Ferguson.
Fortunately, Amazon's security team is usually quick to respond to abuse reports and even maintains a special page with information on how to report threats. In the meantime users are advised to avoid clicking on links embedded into web pages hosted on AWS (*.s3.amazon.com).