How phishing attacks have exploited Amazon Web Services accounts

Amazon is a target ripe for exploitation in phishing campaigns because the company has such a huge presence across so many different areas. Most phishing emails that impersonate Amazon are aimed at consumers who use the company on a retail level. But some are designed to spoof Amazon on a business level. A series of recent phishing attacks tried to take advantage of organizations that use Amazon Web Services (AWS). In a blog post published Monday, security trainer KnowBe4 describes how these phishing emails proved quite convincing.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

In one phishing campaign reported to KnowBe4, the attackers created a basic, no-frills scam to harvest the credentials of AWS users. The messages boasted a clean and simple design, similar to regular email notifications that people would receive from Amazon and other companies.

The notice in the emails combined the right type of urgency with the right type of jargon, claiming that Amazon was unable to validate important details and that the recipient needed to confirm their information to remove an account limit restriction.

Even to a careful eye, the details helped the emails look legitimate. The footer contained exactly the type of information someone would expect to find, including the usual Terms of Use. The address in the From field used a random collection of letters, acronyms, and abbreviations to create a credible look-alike domain.

Further, the criminals behind this one used AWS itself to host the landing page with the same domain name listed in the From field. The phony AWS domain was even registered through Amazon’s own domain registrar on the same day the attack launched. Compared with an actual AWS page, the spoofed page appeared to be the real thing.

The attack remained credible even to its grand finale. After the landing page captured the AWS credentials of any unsuspecting victims, the process redirected them back to Amazon itself, as if to place them in safe hands.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

On the plus side, this specific campaign lasted only a few days before the malicious files and fake AWS domain were shut down on Amazon’s site. But while it was active, the scam could’ve easily tricked people through its use of an old but effective social engineering hook, namely warning users in vague terms of a problem with their account.

This type of scheme isn’t the only one that has targeted AWS account holders. Another campaign noted by KnowBe4 used the popular billing issue, claiming that an invoice was due for AWS and that the recipient needed to click on a link to make a payment. This particular scam tries to compromise the person’s credit card data or other financial information.

Another popular tactic is to send warnings ostensibly from AWS. In one attack, the recipient is told that their AWS account will be restricted if they don’t follow the steps in the email. Fake security notices are one more common trick with the email claiming that someone was using the person’s AWS account without their knowledge.

Fake AWS support tickets are also popular as the recipient is told to click on a link in the email regarding a support case for technical help. And another phishing campaign promises bills or other business documents that users can access by clicking on a link.

A compromised AWS account can be damaging to the individual and the employer in many ways, according to KnowBe4. Cybercriminals can perform any of the following malicious acts:

• Harvest sensitive data from the account to be exploited in still further attacks against customers, partners, or clients.
• Demand ransom for the organization’s data after it is exfiltrated from the account or after an organization is locked out of the account.
• Sabotage the organization’s business by destroying or corrupting data stored in its AWS account (perhaps in connection with a ransom demand).
• Skim money and financial data from accounts being used to support an online store or financial service.
• Use an organization’s AWS account as a phishing platform, which could involve exploiting the account to distribute malware as well as host credentials-phishing pages or other files used in phishing attacks.

“We will, in short, see more of these AWS-themed phishing attacks,” KnowBe4 said in its blog post. “And they will get more sophisticated and more dangerous.”

To protect your organization from these phishing campaigns, KnowBe4 advises that you bring your users up to speed on the latest social engineering schemes. That entails security training with high-quality simulated phishing attacks. Such training should particularly be given to employees who control key resources and assets, such as an AWS account.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see