Living-Off-Trusted-Sites (LOTS) or should we say services?

There are 5.44 billion internet users worldwide, according to Statista. That's 67.1% of the global population who utilize and place trust in online services. From sending emails via Gmail, to securely transferring funds via PayPal or sharing confidential documents via Dropbox, many rely on and use these sites daily - ultimately because of our trust in them.

Yet, these websites don’t gain trust overnight. Credibility is built over time, fostering user confidence by providing consistent, high-quality content and services. Trust is one of, if not the most valuable, business assets. This is especially true in the eyes of cybercriminals who seek to exploit it through a tactic known as “Living-Off-Trusted-Sites (LOTS).”

What is LOTS?

The concept of LOTS, akin to “Living-Off-The-Land,” is the use of legitimate websites for nefarious activities while avoiding detection. Malicious actors leverage the well-earned credibility and reputation of legitimate, trusted sites and exploit them to carry out their illicit activities: hosting phishing pages, operating botnet command and control servers, running dropper sites for malware, and exfiltration.

Should it be called Living-Off-Trusted-Services?

The challenge with this concept is that it’s limited to “sites”. But many legitimate services, such as cloud storage and content delivery networks, are exploited by malicious actors in precisely the same way as legitimate sites. The reality is that miscreants have long been abusing all sorts of legitimate services for all kinds of nefarious activity, indicating that a broader definition of LOTS is more fitting.

Over the years, Spamhaus has observed a constant stream of LOTS adoption in conjunction with phishing campaigns, malware distribution, and botnet controller hosting. It is not without reason that Spamhaus’s Domain Blocklist (DBL), launched in 2010, features a dedicated “abused legit” listing type. This tackles cases where miscreants abuse a generally legitimate domain, which a regular DBL listing would be both off policy and prone to false positives.

So, while the abuse of legitimate sites isn’t new, it has evolved from a niche phenomenon to common cybercriminal behavior. In their advertisements on underground forums and alternative channels, miscreants sometimes refer to the effect of LOTS adoption as “FUD” – fully undetectable.

But it takes two to tango…

Spamhaus has repeatedly stressed that abuse does not “just happen.” The hard truth is that many companies are, in fact, enabling this abuse as they do not have acceptable anti-abuse measures. They are not implementing robust customer vetting, or abuse prevention schemes, or are handling abuse incidents tardily, if at all. Instead, these entities are enabling cybercriminals to “live off” trusted resources, jeopardizing online trust and safety.

Having relaxed anti-abuse measures may seem like a rational business decision at face value. Why turn away customers who are willing to pay for your services? In the short term, this makes absolute sense. However, in the long run, brand reputation will become degraded, and corrections will be made, either through market forces or legislation.

How Community can help strengthen online trust and safety

As a community, we have a role to play too. We cannot rely on market forces and legislation alone. Together, we can affect change by highlighting where abuse is being enabled, and apply pressure to legitimate providers to introduce robust customer vetting and abuse prevention schemes.

Evidently, the long-established “trust but verify” model is outdated. In this zero trust online world, a “trust no one, always verify" model must be adopted. Even well-known, trusted services must be approached with caution.

In tandem, we must work to increase the costs and disrupt the activities of those who engage in malicious activity, while impacting those facilitating such behavior too. Follow Spamhaus’ social media channels to get the latest updates and support the action we are taking.