Evidence is emerging that the Amazon S3, the cloud storage offering from IaaS giant Amazon Web Services (AWS), has become the go-to location for cybercriminals looking to squirrel away their identity-theft malware in the cloud.

The data in question was revealed by the security researchers at Kaspersky Labs in a series of blog entries at SecureList. In early June, Kaspersky Lab Expert Dmitry Bestuzhev reported he had uncovered the fact that a rootkit worm designed to steal financial data from unwary users and send it back to home base via e-mail was hosted on Amazon S3 by users based in Brazil.

Oh, and by using a legitimate, legal anti-piracy baffler called The Enigma Protector, the criminals were able to delay reverse-engineering efforts. It took AWS more than 12 hours to take down the malware links after Bestuzhev alerted the provider to their presence.

And then late last week, Kaspersky’s Jorge Mieres blogged the Amazon S3 cloud is what The VAR Guy might call a wretched hive of scum and villainy — cybercriminals are using Amazon’s cloud to host and run SpyEye, an identity theft suite. In fact, it appears the thieves used their ill-gotten identity data to open and fund the AWS accounts they needed.

And while Mieres said noted the two incidents are isolated, they definitely speak to a rise in cybercriminals turning to the cloud to mask their illegal actions.

To me, this calls to mind the debate over Wikileaks’ ejection from Amazon EC2. And while I’ll let the scholars debate the legal distinction between the incidents, the takeaway for cloud service providers is the same: In a market where you don’t know who’s using your service, and where you may never meet some of your customers face-to-face, you need an action plan and a process for dealing with the fallout when illegal — or even questionable — material ends up on your servers.