Jonny Platt was so calm at home when he saw the last statement of his credit card: I had to pay $ 45,000 to have used AWS like hell. Wait, it wasn’t him. He was a cybercriminal, who got his service password and used it to mine cryptocurrencies (specifically, Monero) using Amazon’s cloud computing platform.
Platt checked horrified how no one at Amazon responded to his requests for help and support, and recounted his particular nightmare in a Twitter thread which serves as a warning. Be careful – once again – with sensitive data like this, because it can be used to cause very serious problems. The saddest thing is that the cybercriminal spent $ 45,000 (from Platt) to mine just $ 800 in the form of Monero.
A nightmare caused by an old underused account
Platt did not understand how his password ended up in the hands of the cybercriminal, stating that That account was over nine years old and I used it very little: just to experiment with old projects of yours on the Amazon platform.
🎄 Excited to announce I just received my Christmas present from @awscloud!
😱 Horrified to see it’s $45,000 in charges due to some scammer hacking my account + mining Crypto for the last few weeks
⏰ Had no sleep last night. It’s now 23 hrs since my support ticket & no reply.
– Jonny Platt (@jonnyplatt) December 14, 2021
The cybercriminal simply accessed the service with his credentials and ran a small program, a bash script, in the AWS Lambda service, a ‘serverless computing’ platform that allows code to be executed and that also scales according to the needs of that code.
The code was a small text file that was easy to identify: contained a call to xmrig, a mining application that is used frequently in this type of hacking. The script downloaded the miner every three minutes and ran it for a maximum of 15 minutes in all AWS Regions covered by the service around the world.
The result was that for weeks that script was running and mining Monero. Platt only found out when the bill for the service arrived, which of course was not his: suddenly found that he had to pay $ 45,000.
He tried to contact AWS by submitting a support ticket, but 23 hours after doing so he still hadn’t been able to speak to anyone. The option was to call by phone, but to do so you had to pay, and that support is more expensive the higher the use of AWS is.
In his case, the problem was that due to that bill, the call was going to cost 2,000 or 3,000 dollars. As this user explained, Amazon probably should have triggered some kind of notice noticing that the cost is increased by 150,000% suddenly, as it happened in his case.
Here I was indicating that it is true that Amazon offers a way to configure the cost anomaly system –it can be done from this link if you’re a customer of the service— but that option wasn’t available when he started using the service nine years ago and then forgot about it.
The most tragic thing is probably that the cybercriminal spent a lot of money from Platt on AWS, and that investment It only served to mine 6 XMR, the cryptocurrency of the Monero platform, about 1,000 euros at the current price.
Platt explained on Twitter how they finally called him from Amazon 27 hours after the incident – and probably after seeing his story go viral – but they have yet to monitor the situation and confirm the problem to review the problem: this may take days.