With security companies recording known and popular domains used for spreading malicious software, malicious users are constantly looking for new channels to launch their illegal campaigns. A growing trend in the wild is the distribution of malicious code through legitimate domains. A recent victim to this kind of activity would be none other than Amazon Cloud. By using Amazon’s Simple Storage Service, better yet known as Amazon S3, hackers are able to serve these malicious links using the trusted Amazon domain. In this most recent event, the cloud servers were used to spread malicious software used to steal financial data. Using Amazon domains, the malicious users are able to drop the various malicious codes on to the victim’s computer. The codes denied four different standard anti-virus executions as well as a special security application used for online banking in Brazil (GBPluggin). Additionally, the software steals financial information from nine Brazilian and two international banks, Windows Live credentials, digital certificates used by the e-Tokens in the system, and personal information regarding the victim’s system. Once stolen, the information is all sent to the hacker’s Gmail account or inserted into a remote database.

This method poses additional threats to corporate networks as well as everyday users. Many security systems and services such as content filtering, intrusion detection and firewalls, offer a “Trusted Sites” feature which assist in ensuring that websites and domains necessary for business functionality and productivity are never blocked due to false positive activity. Should a company, in this case, have added the legitimate Amazon domain to the trusted list, the corporate network would become vulnerable to attacks launched through the trusted site when compromised. While the use of legitimate services for malicious purposes is in no way new, this new attack from Amazon should serve to remind us that no network is invulnerable and no network activity should be blindly trusted.

Sources:

http://www.crn.com/news/cloud/229900191/amazon-cloud-used-to-steal-financial-data.htm?itc=refresh

http://www.securelist.com/en/blog/208193064/Amazon_S3_exploiting_through_SpyEye

http://www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud

http://threatpost.com/en_us/blogs/researchers-find-spyeye-operations-hosted-amazons-s3-072811

http://krebsonsecurity.com/tag/spyeye/

Tags: , , , , , , ,