Last week at the RSA Conference, a pair of researchers demonstrated how it was possible to legally create a botnet for free by abusing trial accounts made available by high-powered platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) offerings.
“We were really easily able to get hundreds of boxes on certain providers and have a central way to launch things like massive port scans,” Ragan says. “We also did a proof-of-concept on cryptocurrency or Bitcoin mining. If you’re getting this free computing power and don’t have the power bill from it, why not use that to generate mining? That would be a huge motivation for malicious threat actors using these platforms.” The project was made possible through the development of a process to automate the creation of unique email accounts on free email services, and then special scripting to automate the process of clicking on email verification links sent to those accounts.