Free cloud services have become popular in recent years. These services provide developers a platform to test software, and collaborate with others easily. While this sounds amazing, in reality these platforms can be a goldmine for attackers if not properly secured. Many of these services require only an email for verification. Setting up fake emails and automating this sign up process is all too simple for attackers.
A couple years ago at Black Hat in Las Vegas, security researchers Oscar Salazar and Rob Ragan demonstrated just how easy this process was. They managed to accumulate 1,000 free cloud accounts during one weekend. With this free botnet they performed LiteCoin mining, allowing them to average $1,750 per week in pure profit.
This was a proof of concept exercise and as such restraint was shown. A malicious user on the other hand, would feel no need to limit themselves. Imagine tens of thousands of free cloud services being utilized for DDoS attacks. Being able to bypass email authentication is simple for any skilled coder, free cloud providers need to be aware of this, and take the necessary steps to improve authentication. These types of services are ideal for attackers to perform distributed network scanning, distributed password cracking, DDoS attacks, click-fraud, crypto currency mining and data storage.
Moving forward we need to keep security in mind as we offer free services and connect more devices to the internet. The threat landscape is constantly evolving, as a community we need to evolve as well. Take any and every step possible to remain secure and up to date.