In a blog post late last week, Jorge Mieres, lab expert at antivirus supplier Kaspersky Lab, said cybercriminals have been using Amazon S3 heavily in the second half of July to run SpyEye activities. The SpyEye Trojan emerged in late 2009 as a competitor to the Zeus bank Trojan. Both are used to infect computers, steal credentials and ultimately drain bank accounts.
“One hurdle for these cybercriminals to abusing Amazon S3 is the creation of an Amazon Web Services (AWS) account,” Mieres wrote. “These accounts require a legitimate identity and method of payment, so it is evident criminals are using stolen data to overcome this challenge.”
Researchers at antivirus company Trend Micro have also observed Amazon S3 being used to host SpyEye. “In fact, another colleague in my group, Ranieri Romera, recently collected approximately 22Mb of malware for analysis and detection that was hosted on AWS,” Paul Ferguson, senior threat researcher at Trend Micro, wrote in a blog post Monday.
“My advice is to avoid clicking on any suspicious link, either in an unsolicited email or an apparently benign link embedded in a webpage hosted on AWS (e.g. zx1uporn.s3.amazon.com, et al.) until this problem is resolved,” he added. “We have recently seen about 30-50 various subdomains and specific URLs created on AWS which appear to harbor malicious content.”
The trend of criminals exploiting cloud storage services is expanding, according to Mieres. “This trend clearly represents a critical point for online storage services and requires special treatment,” he wrote.
Both Kaspersky and Trend Micro said they reported their findings to the security teams at Amazon Web Services.