Scammers Piggyback on AWS to Phish VictimsAWS Domains Used to Send Phishing Emails and Steal Credentials
Threat actors are using Amazon Web Services to create phishing pages that bypass security scanners and scam victims into handing over credentials.
The scammers send their targets what appears to be a standard password expiration email or other emails meant to create a sense of urgency. The emails come from legitimate AWS domains, but a closer look shows the inclusion of false nicknames, with the sender address and unrelated text in a foreign language, find security researchers at Check Point-run firm Avanan.
When users click on malicious links in the email, they're redirected to a login page that shows the victim's company name and logo, with the email ID prepopulated. "All the user has to do is fill in their password and their credentials are stolen," says Jeremy Fuchs, cybersecurity researcher and analyst at Avanan.
The Avanan researchers call the method of using legitimate services as a piggyback to land in the inbox "the Static Expressway." Usually, email services use static "allow" and "block" lists to determine if an email's content is safe or not. And emails from AWS will be marked as safe, as it is "too big and too prevalent" to block, giving the threat actors an opportunity to bypass email security scanners.
"With an easy way into the inbox, plus a low lift from end users, this type of attack can be quite successful for hackers," the Avanan researchers say.
Avanan says it notified AWS of these findings. The cloud services giant did not respond to Information Security Media Group's request for comments.
The team also found instances of scammers deploying similar tactics with Google, QuickBooks and PayPal services. In January, hackers exploited a vulnerability in the comments feature of Google Docs to deliver malicious phishing websites to end users. It hit more than 500 inboxes across 30 tenants, and hackers used more than 100 different Gmail accounts, Avanan researchers said at the time (see: Hackers Exploiting Flaws in Google Docs' Comments Feature).