Using free services of multiple cloud-computing businesses, it is possible to create a botnet capable of mining a couple hundred dollars in crypto-currency on a daily basis, researchers said.
They should know because Bishop Fox’s senior security associates Oscar Salazar and Rob Ragan experimented with the resources of cloud services by creating numerous free accounts, which they were able to use for Litecoin mining, a virtual currency used as an alternative to Bitcoin.
The two found the online servers they had access to had the power to generate as much as $1,750 per week, without investing a single cent in the operation.
They relied on an automated process to create the necessary free accounts and proceeded to test about 15 services that did not require additional information during the sign-up procedure apart from a password, according to one published account.
At the end of the process, they were the masters of a cloud-based botnet with about one thousand computers.
“A lot of these companies are startups trying to get as many users as quickly as possible,” Salazar said. “They’re not really thinking about defending against these kinds of attacks,” the two said in the Wired report.
For the creation of legitimate-looking email addresses, the two modified information dumped online as a result of various data breaches.
Mining for Litecoin showed them computing power of the remote machines could produce 25 cents a day, for each account. This may seem quite low, but considering the 1,000 accounts, it adds up to a tidy $1,750 over a week.
These figures are only estimates, because Ragan and Salazar did not keep the botnet mining for more than a few hours.
However, they left some of the mining programs running for two weeks in order to see if they could carry out their activity without the operators of the cloud services shutting them down.
Leveraging the online systems for making virtual money is only one side of the risks presented by creating an army of cloud computers, as these could also end up used for criminal activities, such as password cracking, previously discussed by industry researchers.
Conducting distributed denial-of-service (DDoS) attacks is another way to use the machines. Ragan and Salazar said their botnet had the capacity to send the traffic seen from 20,000 computers.
On the same note, the administrators of the websites targeted by a DDoS attack carried out this way would have problems filtering out the traffic, because it originates from legitimate services.
Cloud systems will be more prominent on the radar of cybercriminals because of the computer power they offer and because they are suitable for coin mining activities.