I was watching an excellent presentation by Rob Ragan and Oscar Salazar when I realized that I hate free stuff. Not of course the free stuff that I use, I’m fine with that. It’s all the free stuff that spammers and other cyber criminals exploit that ticks me off. Let me explain what Ragan and Salazar did, and how that fits into the wider picture of spam and other abuse.
The goal of the presenters was to create a botnet of a thousand free trial accounts on cloud services, set up a virtual machine on each one, and use it for Litecoin mining. Now, all of the cloud services use some sort of Turing Test to make sure that automated systems are not setting up multiple accounts. However, 66% of these services use a very simple Turing Test. In order to prove you are human, you have to be able to click on a link in an email sent to a unique email address. Ragan and Salazar described how they used free services that allow you to create subdomains of certain domains, and allocate DNS MX records to assign a mail server to that subdomains. That gave them the ability to create natural looking free email addresses, and send them to a different server for processing. They used another free service to convert the incoming emails to HTTP calls with the email content in a JSON document, and a third free service to parse the incoming message and emulate clicking on the confirmation link. So, by stringing together three free services they were able to fool the simple Turing Test used by the cloud services.
The rest was a matter of automating the setup of the VMs in the cloud and getting them running the Litecoin mining software. They downloaded the mining program, renamed it to “bash”, set it running, and then deleted the executable file to cover their tracks. They needed another neat trick to connect to the Litecoin system on VMs where outbound Internet access was banned, tunneling out through what was supposed to be an inbound SSH connection. Altogether it was a nice piece of work. However, they found they were not the first to do this. It turned that a couple of cloud services have already had to shut down their sign up process to keep the crypto miners out. As they pointed out, VMs in the cloud are valuable resources, and the more valuable a free resource is, the more effort people will put into exploiting it in bulk.
We see this all the time at Cloudmark. Spammers will exploit free webmail accounts, free cloud storage, free image hosting, free dynamic DNS services, free URL shorteners, free social network accounts, free email to SMS gateways, free domain registrations… basically, if it’s free and does anything useful, someone will find a way to abuse it.
Thinking about it, I would gladly pay a dollar or so each to sign up for all of the free services I am currently using, if the spammers did as well. I’d like to suggest this for all the cloud services that are currently wondering how to keep the crypto miners out. Charge a one dollar fee by PayPal to sign up. Yes, it’s possible to set up fake PayPal accounts but it’s much harder than email accounts. Verified PayPal accounts sell for fifty dollars on the black market while webmail accounts sell for five cents. Let PayPal be your Turing Test. You may not get quite so many new customers, but they will all be real people with a genuine use for your service, and you will be spared the embarrassment of presentations at Black Hat showing how easy it is to exploit you.