Scammers Piggyback on AWS to Phish Victims

AWS Domains Used to Send Phishing Emails and Steal Credentials

Cybercriminals are using Amazon Web Services to create phishing pages that bypass security scanners and scam victims into handing over credentials.

The scammers send targets what appears to be a standard password expiration email or other emails meant to create a sense of urgency. The emails come from legitimate AWS domains, but a closer look shows the inclusion of false nicknames, with the sender address and unrelated text in a foreign language.

When users click on malicious links in the email, they’re redirected to a login page that shows the victim’s company name and logo, with the email ID pre-populated. All the user has to do is fill in their password, and their credentials are stolen.

Researchers call the method of using legitimate services as a piggyback to land in the inbox “the Static Expressway.” Usually, email services use static “allow” and “block” lists to determine if an email’s content is safe or not. And emails from AWS will be marked as safe, as it is “too big and too prevalent” to block, giving the threat actors an opportunity to bypass email security scanners.

With an easy way into the inbox, plus a low lift from end users, this type of attack can be quite successful for hackers.

Scammers have deployed similar tactics with Google, QuickBooks and PayPal services. In January, hackers exploited a vulnerability in the comments feature of Google Docs to deliver malicious phishing websites to end users. It hit more than 500 inboxes across 30 tenants, and hackers used more than 100 different Gmail accounts.

As always, ensuring that consistent training and education are implemented when it comes to phishing and other scams is a key defense in the face of constant and evolving cyber threats.

If you have questions about the evolving threat landscape and IT security, call ITPAC today.