Threat actors are leveraging major cloud provider Amazon Web Services (AWS) to get their phishing hooks into unsuspecting targets, using a trusted brand name to bypass email security.
The research by Avanan highlights the latest twist in the ongoing tale of social engineering, with scammers using previously harvested data such as email addresses to obtain the cherry on top – in this case, the victim’s password – while turning a usual telltale sign of scammers, poor textual construction, into a weapon.
“One way that folks use AWS is to build and host web pages,” said Avanan. “The service allows you to host a Wordpress site or something fully created with custom code. With a little bit of coding knowledge, you can create a free website that’s hosted on AWS.”
But it added: “Hackers are taking advantage of this by building phishing pages on AWS. Sending a link to this page via email is a way to bypass scanners and get users to hand over credentials.”
Scamming the scanners
These password-hungry hackers seem willing to adopt one of the classic giveaways to get past a target company’s initial defenses – automated “allow” and “block” lists designed to weed out suspect communications – sending fake emails with content that is “all over the place.”
But in this case, Avanan believes the content is deliberately shoddy to confuse the automated scanners. In one example it cited, the bogus message initially claims to be regarding a password expiration, but when opened, refers instead to “an earthquake monitoring system.”
This deliberate mixing and mashing of subject matter, coupled with the fact that the email is sent from a legitimate domain – in this case, AWS – allows the phishing attack to get past a target organization’s first line of defense.
Going for the easy money
The scam then leverages previously obtained data in an effort to get past the second – the target’s capacity to realize they are being scammed before they do anything reckless. Victims are redirected to a password reset page, where they see their company’s domain name filled in at the URL bar.
“Their company logo will be present and their email is pre-populated,” said Avavan. “For a victory for the hacker, they just need the user to enter their password.”
It added that this combination of easy access and a tantalizingly simple request makes this particular phishing scam dangerously effective.
“With an easy way into the inbox, plus a low lift from end-users, this type of attack can be quite successful for hackers,” said Avanan.
Once the crooks behind the scheme have obtained the password, the completed set of employee data can be sold to other threat actors on the dark web or used by the same perpetrators to facilitate ransomware and other potentially lucrative cyberattacks.
The cybersecurity watchdog has reached out to AWS to notify it of the ploy and says it will update its blog as and when it receives any further information.
More from Cybernews:
Subscribe to our newsletter