Amazon: Hey Spammers, Get Off My Cloud!
I am accustomed to receiving e-mail from Amazon.com, as I am a fiercely loyal customer who shops there quite frequently. But it took me by surprise this weekend to discover that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to the e-commerce giant.
I wasn't the only one who spotted it. Websense Security Labs issued an alert about the spam attacks on Monday, but it didn't name Amazon as the source. The advisory rightly noted that it had discovered "a substantial number of spam messages utilizing a reliable social engineering trick." The junk mail claims to have been sent from Microsoft, and urges the recipient to install an attached security update.
Windows users who fall for the ruse will have their systems infected with a backdoor Trojan horse program that gives the attackers easy access with which to control the infected machine from afar or upload additional malicious software. In a dig at U.S. law enforcement, the malware authors even tweaked a portion of the Web site used to host the malicious software so that a novice investigator would trace its origins back to the official Web site of the U.S. Secret Service.
But the most interesting aspect of this attack (at least to me) was left out of the Websense advisory: All of the spam came from Amazon's Elastic Compute Cloud (EC2) servers, which are marketed to companies -- mainly small to mid-sized businesses -- that want to purchase access to any number of computer applications hosted on the Internet, from data crunching and storage to on-demand computer processing power. These so-called "cloud computing" services potentially put the strength of massive computer arrays in the hands of the average user, and the service is "pay-as-you-go," so customers only pay for the resources and services they consume.
But to spammers and scammers accustomed to paying for all kinds of Web services with stolen credit cards, Amazon's service is another place to host their junk, said Suresh Ramasubramanian, head of anti-spam operations at Outblaze, a Hong Kong-based outfit that has listed all of Amazon's EC2 Internet space on its spam blocklists (to see just a few examples of this Microsoft malware spam, check out any of these three links, and then click on the "spam evidence" button).
Anti-spam group Spamhaus also has flagged a large swath of Amazon's EC2 Internet address space on its "policy blocklist," which subscribers use to block e-mail from dynamic Internet addresses known to change frequently (most often these are home-user PCs on residential broadband networks, but the addresses used by virtual servers on the EC2 service also shift constantly).
"The [numeric Internet address] for these services can shift within minutes, so if you want to block spam sent from a dynamic address, blocking just one address is not feasible," Ramasubramanian said. "Right now, if Amazon was able to control or restrict the spam issues, as well as other security incidents on that service, there would be no problems with it."
A group of security experts on the North American Network Operators Group (NANOG) mailing list have been discussing the spamming presence on EC2 for the past few days, with most dismissing Amazon's abuse response team.
"Yeah, if you can call them that," wrote Jon Lewis, the lead system administrator for Atlantic.net, an Internet service provider in Florida. "I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you're a paying customer, you can do whatever you like."
Amazon spokeswoman Kay Kinton said the company clearly advertises its abuse contact details.
"We have a clear acceptable use policy and whenever we have received a complaint of spam or malware coming through Amazon EC2, we have moved swiftly to strictly enforce the use policy by network isolating (or even terminating) any offending instances," Kinton said. She added that Amazon has since taken action against the EC2 systems hosting the fake Microsoft patches.
But Paul Vixie, founder and chairman of the Internet Software Consortium, believes spammers and malware authors will continue to make a home in Amazon's EC2 service, despite the company's best efforts. For one thing, he said, the dynamic Internet addresses will continue to remain in various spam block lists, precisely because the addresses spammers use within EC2 will constantly change. Thus, the block lists will make it very difficult for legitimate users of the service to use it for delivering e-mail.
For another, Vixie noted that the EC2 system is entirely automated, so for Amazon to try to separate legitimate users from spammers would require a significant human and technological investment. For Amazon to bring this activity to heel, he said, it would have to expend enough money that the service would no longer be profitable.
"Security is the natural prey of scale. You can't make something safe if everyone is supposed to be able to use it," Vixie said.
July 1, 2008; 1:04 PM ET
Categories: Fraud , From the Bunker , Web Fraud 2.0
Save & Share: Previous: Forty Percent of Web Users Surf With Unsafe Browsers
Next: Apple Pushes Peck of Patches
Posted by: Seth Breidbart | July 1, 2008 1:37 PM | Report abuse
Posted by: Gary | July 1, 2008 1:45 PM | Report abuse
Posted by: John Levine | July 1, 2008 2:06 PM | Report abuse
Posted by: Catherine Jefferson | July 1, 2008 4:10 PM | Report abuse
Posted by: Justin Mason | July 1, 2008 4:54 PM | Report abuse
Posted by: Hans | July 1, 2008 11:29 PM | Report abuse
Posted by: gregory | July 2, 2008 1:00 AM | Report abuse
Posted by: Suresh Ramasubramanian | July 2, 2008 1:22 AM | Report abuse
Posted by: Rick | July 2, 2008 5:20 AM | Report abuse
Posted by: Rick | July 2, 2008 5:34 AM | Report abuse
Posted by: Suresh Ramasubramanian | July 2, 2008 5:39 AM | Report abuse
Posted by: Justin Mason | July 2, 2008 5:53 AM | Report abuse
Posted by: billy | July 2, 2008 7:56 AM | Report abuse
Posted by: Kai | July 2, 2008 5:33 PM | Report abuse
Posted by: Michael | July 4, 2008 12:01 AM | Report abuse
Posted by: Credit Cards | July 7, 2008 3:38 AM | Report abuse
Posted by: Jim | August 26, 2008 3:57 PM | Report abuse
The comments to this entry are closed.