In December of 2014 our honeypots informed of brute force SSH attacks performed from units belonging to Amazon. When the attacks were analysed, it was verified that after gaining access to an SSH server, these were then used to create connections to multiple websites with adverts. The final objective was to generate economic profit by accessing the advertising banners.
Amazon were notified and a few days later the attacks died down in our Honeypot, and the situation has maintained this way until today.
-Image of Honeypot Viewer displaying attacks from Amazon’s Cloud -
As of today, three months later, the attack pattern repeats itself but this time from Google Cloud. The attack vector is the same: search for and attack on SSH servers with weak credentials, with the aim of gaining access and from there visiting websites with advertising content. The websites, which supposedly belong to the attackers, not only include advertising banners to also monetize the access to them but they also store malware.
In this case, the attackers take advantage of Google Cloud’s 60-day free trial to put their attack machinery into practice.
-Image of Honeypot Viewer displaying attacks from Google Cloud -
SSH brute force attack
In the analysed attacks a clear dictionary-based brute force attack can be observed which gains access to the honeypot with admin /admin credentials.
The start of the attacks is detected on 09/03/2015. They are immediately studied and Google is notified after a malicious behaviour is determined.
A case of Click Fraud
The results of the analysis confirmed a clear objective pattern of Click Fraud:
There are a number of advertising servers used:
- Advertising providers used -
www.uptodatedaily.com stands out amongst the websites including advertising:
This site, which supposedly belongs to the attacker has been designed to achieve income from advertising. After consulting the domain registration information we can determine who the owner is to perform subsequent investigations to confirm what the intentions are.
This website presents various advertising banners (the top banner alternates):
- Site containing adverts using click fraud -
The attacker tries to access as many SSH servers as possible in order to perform automated visits to websites that have been previously prepared with advertising content. Once on the page, the attacker accesses each of the advertising banners on the page, which at the same time connect with other advertising services to generate the corresponding payment:
-Requests to visit the advertised sites. Observe the header "Referrer", which indicates the page from which the visit is being made-
This attack is more beneficial when there are more violated SSH machines as valid visits are obtained from each of them to obtain pay per click.
From INCIBE, we continue to warn about the importance of protecting any system that is exposed to internet with sufficiently robust credentials given that, otherwise, they will be victims of practices such as those described.