It’s natural for cloud providers to offer free samples. But it turns out you can stitch together thousands of those free samples to create one big botnet, as two researchers explained Wednesday at the Black Hat conference.
Oscar Salazar and Rob Ragan, senior security associates at consulting firm Bishop Fox, said they managed to pool 1,000 free-trial cloud accounts during one weekend. That’s 1,000 free doses of compute and storage that could be used for anything from denial-of-service attacks to Bitcoin mining, as they explained.
They tried this as a proof-of-concept exercise, one inspired by the question of whether an online sweepstakes could be rigged. But other people are doing it for serious profit. Toward the end of the presentation, they showed screenshots of various cloud services that had shut down their free trials — or shut down completely — apparently because of this kind of exploit. One screen even said specifically that the service had been overrun by Bitcoin miners.
“This actually hurts your business. If you have to stop your signup process in order to revamp it and add new protections, you’re basically cutting off revenue,” Salazar said.
The scheme he and Ragan used wasn’t even that complicated: The generated lots of fake email addresses to sign up for these free trials. It didn’t even take that long.
“We did the majority of this proof-of-concept in one weekend,” Ragan said. “Someone who is a skilled coder could actively do this relatively easily, and that was something we wanted to raise awareness of, because we do think we’ll see more of this type of botnet unless these services take more precautions.”
Many services verify signup requests by using email acknowledgments. The service sends you an email, and you have to respond by clicking on a link. That process assumes that you only have one email address and have no way of auto-clicking that link — or, at least, that you can’t generate email accounts at a rate fast enough to be dangerous. Operators are also smart enough to block disposable-email services like Mailinator.
But this being Black Hat conference, you know how the story ends: The fence is full of holes.
First, Ragan and Salazar needed a way to generate random-looking email addresses, as in the word cloud shown above, so the requests wouldn’t trigger any suspicion. Coming up with the local parts of email addresses — the part before the “@”— wasn’t hard. They just scraped the online dumps of hacked services, a truly realistic source of random-looking identities. “There’s no shortage of online dumps in the news every week,” Ragan said. (Not coincidentally, Black Hat is where the 1.2 billion-password heist was revealed.)
Getting domain names took a bit of finesse. Ragan and Salazar’s original plan was to just buy them on the cheap, but instead, they found a free solution at FreeDNS (freedns.afraid.org), which has about 30,000 domains you can freely register subdomains onto.
From there, it was a matter of using an online service to convert inbound emails into an HTML format and input them into the Google App Engine, where they’d set up an platform to automatically respond to the emails.
Once they automated whole process — email creation, registration, and replying to the registration email — Ragan and Salazar started racking up new cloud accounts, up to their arbitrary goal of 1,000. “That’s just where we stopped. I could scale up even more, to tens of thousands of bots,” Ragan said.
Into the Crypto-Mines
Having amassed all this free, untraceable compute power, a hacker could launch any number of projects for good or evil. But hackers who’ve done this seem to gravitate toward mining Bitcoins and other crypto-currencies. They don’t have to pay for the requisite server farm, and maybe more importantly, the electricity bills for powering and cooling all that hardware get foisted on the unsuspecting cloud provider.
Ragan and Salazar tried it out with Litecoin (Bitcoin’s math puzzles have gotten too complex for the cheapo CPUs they’d collected) and calculated they could generate $250 per day from their 1,000 bots. They shut the whole thing down at that point; being the good guys, they didn’t want to incur too much cost on their cloud-service victims. Moreover, they found out that Litecoin was sometimes sharing resources between users — meaning that their project could have affected the work of some legitimate miner.
The point is that $250 per day could be had with just a weekend’s effort. A hacker more determined and dedicated could make a lot more money, and it does seem to be happening out there. In June, Dell Secureworks researchers found a Dogecoin scam that used similar techniques to exploit a weakness in network-attached storage (NAS).
What can be done?
The core lesson here is that email authentication is a flimsy way to block bots from stacking up registrations. This is why the captcha was invented, but — let’s face it, everybody hates those. “Everybody feels like their being punished” when captchas appear, Salazar said.
The researchers’ suggestion was to set a threshold to determine if something weird is going on. If 10 requests arrive from one place in one minute, for example, it might be time to activate a test for sentience. Maybe then, a captcha would be called for, or some kind of simple logic test.
Cloud service providers also need to wary about giving free trials to friends of users. Services such as Dropbox will limit the number of “friends” you can refer, but others are apparently more porous. Ragan and Salazar said they used the referral trick on one service to amass 1 terabyte of free storage — which is more than the service even lets you pay for.