Amazon, GoDaddy Popular Choices for Malware Hosting

We love the cloud because it's easier to spin up a server to host a Website or run a Web application if someone else takes care of all the hardware tasks. Well, it appears criminals love hosting providers, too, especially Amazon and GoDaddy.
Cyber-criminals are using cloud computing for many of the same reasons legitimate businesses and individuals are, Solutionary found in its Fourth Quarter 2013 Threat Report (PDF). Criminals are also hiding their malicious activities behind the reputations of major hosting providers such as Amazon, GoDaddy and Google. In fact, of the major Web hosting providers out there, Solutionary found that Amazon and GoDaddy were the most popular for hosting malware.
"Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy," said Rob Kraus, director of research in Solutionary's Security Engineering Research Team.
Why Cloud?Shifting to the cloud makes a lot of sense, since it is quicker to develop a malicious site and bring it online, as well as cheaper to repeatedly change IP addresses and domain names to avoid detection. Criminals can use multiple providers and expand their operations substantially, rather than trying to set up physical Web servers in multiple locations. For example, the report found a single malicious domain which was spread across 20 countries, 67 providers, and 199 unique IP addresses to avoid being detected or blocked.
Malware distributors are "utilizing the technologies and services that make processes, application deployment and website creation easier," Kraus said.
Criminals also cover their tracks better and have a higher degree of success if they rely on major hosting providers. Considering that organizations frequently filter out traffic using geographic blacklists and lists of known bad IP addresses, criminals need someplace "safe" that won't automatically trigger an alert. This is where major hosting providers come in, as they allow malware distributors to set up shop within a trusted address space. Organizations which may block traffic from Ukraine are less likely to block traffic coming from Amazon and GoDaddy, for example.
Solutionary also pointed out that geographic blacklisting and blocking strategies are not effective methods to detect and block malware attacks, since 44 percent of the world's malware is hosted within the United States to begin with.
Piggybacking on Trusted Brands
Hiding behind trusted domains and names is not something new, though. Spammers like using popular Webmail providers because people automatically trust a message from @outlook.com or @gmail.com more than one from @50orcdn.com, for example. Attackers also use Google Docs and Google Sites to create forms that can trick users into submitting sensitive information or downloading malware. Cloud storage providers such as Dropbox have been plagued in the past with criminals taking advantage of free services to host malware.
Because of Amazon's immense size, it makes sense that it is hosting more malicious sites than its competitiors. Regardless, it's clear that attackers are increasingly treating hosting providers as "significant distribution points," Kraus said.
In Solutionary's report, the researchers found that attackers are either buying services from major hosting providers directly or compromising sites already being hosted on these platforms. The users generally don't know how to take steps to harden their applications, making them vulnerable to attack. Some providers, such as Amazon with its Elastic Cloud Compute (EC2) service, charge on the actual bandwidth being consumed. This means criminals can set up the campaign on a small scale first, and then expand as necessary.
"The more lucrative the criminal activity, the more funds will be available to pay for the increasing capacity as it is needed," Solutionary noted.
Most cloud providers—especially Amazon—have security policies in place to shut down malicious sites and accounts as soon as they are detected. However, when the provider is huge, with hundreds of thousands of servers and thousands of users firing up new applications each month, this is a challenging task. As a result, you should not just assume that traffic coming from certain sites is automatically safe, or count on the providers to police the activities. It's on you to practice safe computing by keeping your computer secure and to scrutinize each site to figure out whether or not it is legitimate.