Cloud providers have attracted enterprise customers with the promise of rapid elasticity, on-demand provisioning, high availability and a pennies-per-hour pricing model. But there's just one problem: These very qualities have enticed criminals to adopt cloud services as well.
When a scam artist is looking to set up a phishing scheme to gain access to victims' bank accounts, the built-in redundancy, scalability and automation capabilities of cloud servers are extremely appealing. And when all it takes to procure cloud services is a working credit card -- without ever needing to deal with a live salesperson -- the cloud becomes an even more viable base from which criminals can commit fraud.
"All of the advantages of the cloud for enterprises are the advantages for the bad guys," said Jeff Spivey, international vice president of ISACA, a founding member of the Cloud Security Alliance (CSA) and president of Security Risk Management Inc., a Charlotte, N.C., information security consultancy. "It's that anonymity and scale that's attractive to the fraudsters."
Without proper cloud-based fraud detection and prevention practices in place, cloud providers can become unwitting hosts for cybercriminals. It's a threat that can expose providers to legal liabilities, profit loss and blacklisting. What's more, any cloud provider can become a target.
"While cloud has been a phenomenal enabler for legitimate businesses, it's also been a phenomenal -- and I mean phenomenal -- enabler for fraud and fraudulent activity," said John Rowell, senior vice president of research and development as well as global service operations at Dimension Data, a South African cloud and managed services provider. "Fraud is a huge deal on the business side."
How does cloud-based fraud occur?
Across the broader market, discussions about cloud security have focused primarily on the customer side of the equation. Even as cloud providers continue to devote the resources necessary to ensure that customer data is secure, they can't overlook the fact that some of their own customers could be a threat.
Fraud manifests in the cloud in several ways, according to experts. Typically, fraudsters use a stolen credit card to procure virtual machine (VM) instances or platform services on which they build their operations -- among them phishing schemes, money-transfer scams, identity theft and malware.
It's that anonymity and scale [of the cloud] that's attractive to the fraudsters.
"[You] can go get a fraudulent credit card, a good one -- it'll be working, but it'll be stolen -- for less than a dollar," Rowell said. "So, think about how the cloud enables [criminals]. All they have to do is sign up online and they can have a server in five minutes for less than a buck, and it's a throwaway identity."
In a joint investigation in 2012, researchers from McAfee Labs and Guardian Analytics uncovered a massive, cloud-based banking fraud operation that attempted to bilk an estimated $78 million from account holders in Europe, Latin America and the United States. The investigation, dubbed "Operation High Roller" because of the criminals' focus on high-balance accounts, found the scheme's success hinged on the resource availability and automation in the cloud, as opposed to a single host computer.
"With no human participation required, each attack moves quickly and scales neatly," investigators wrote in a report.
In some cases, criminals skip the stolen credit cards altogether and instead crack into a legitimate customer's account, hijacking the VMs to use for their own fraudulent activities. Cybercriminals are also looking to Infrastructure as a Service to provide vast amounts of on-demand processing power to launch distributed-denial-of-service attacks, according to Raj Samani, vice president and chief technology officer of McAfee Inc.'s EMEA operations.
Consequences of failure to detect fraud
Although fraud may not be the gravest security threat cloud providers face, ignoring it jeopardizes their bottom line in several ways.
From a purely financial perspective, any revenue gained from a stolen credit card is likely to evaporate quickly, thanks to the sophisticated fraud detection systems banks and credit card companies now use. The real damage comes from the revenues cloud providers never see from legitimate customers because the hundreds of VMs they would have paid to access have been tied up by the fraudsters.
[There are] service providers that … do not have adequate fraud measures in place, and they have to be losing insane amounts of money on it.
"[There are] service providers that … do not have adequate fraud measures in place, and they have to be losing insane amounts of money on it," said Dimension Data's Rowell. "It's got to have an immense impact to their profitability as well as just the health and cleanliness of their platform."
Moreover, cloud providers that don't commit resources to fraud detection and prevention could ruin their reputation -- and kiss goodbye any chance to engage enterprise customers, Rowell added.
"If you were putting up a storefront, you wouldn't want to hang your shingle beside a shop that says, 'Hey, we're selling stolen credit cards.' No one wants to be associated with that," he said. "It's incumbent on the service provider industry to police fraud. If they're not doing it, they're doing their entire customer base a disservice."
Enterprises are also likely to block IP addresses from which spam and other suspicious activity originate, unintentionally blacklisting the cloud providers that host them.
While there is no legal precedent yet, it's possible that governments and law enforcement agencies may start holding cloud providers criminally or civilly responsible for neglecting to detect and eradicate fraud, said ISACA's Spivey.
"Depending on how big the problem becomes will determine whether regulators or lawmakers start to get more involved," he said. "But if I'm running a store, for instance, and I know people are coming into the store buying and selling drugs, and I never brought it up to people, then law enforcement is basically going to [conclude] that I enabled this to occur because I let it happen on my premises."
Detecting cloud fraud: 'It's not high tech'
Fraud detection and prevention is a delicate dance for cloud providers, which must balance customer privacy concerns with the need to snuff out illegal activities, according to John Howie, chief operating officer of the CSA and former head of data center security for a large cloud provider.
"Cloud providers have built up these very sophisticated, accurate and successful antifraud systems, and they've invested a lot of time and energy in it," Howie said. "They monitor how the customers use the service without monitoring their data -- instead, [they look] for patterns of activity that are indicators of [fraud]."
Once fraudulent behavior is detected, providers alert law-enforcement agencies and will even notify their competitors of patterns through anonymous forums the CSA hosts, Howie said. Sharing this information "has already developed very tangible results," he noted.
But technology can only go so far.
The market is filled with software that can identify irregular behavior, such as a new customer who provisioned a VM that sent an unusually large number of emails, Howie said. The most effective line of defense is an antifraud team with the training to determine whether a credit card used to procure services is stolen and how to follow up with the customer, he added.
"A lot of fraud or potential fraud is really caught in that stage. It's not high tech," Howie said. "It's really about customer management."
Some argue it's still unclear whether an abundance of safeguards is the solution.
"As a cloud provider, how onerous do you want to become?" asked McAfee's Samani. "If every five minutes you're [sending] an email saying, 'You're not allowed to do that because we think it's malicious' … [customers] are going to turn around and say, 'This is too much effort. The cloud isn't easy for us.' It becomes a double-edged sword."