Criminals are using Amazon Web Services (AWS) to start assaults by sneaking phishing emails past automated security scanners.
Scammers have taken advantage of people’s ability to create and host web pages using WordPress or their own custom code using an AWS service. According to email security provider Avanan, from there they may send phishing emails including the AWS name into corporate email systems to both get past scanners that ordinarily would block suspicious communications and give extra validity to fool targets.
“Email services that use static Allow or Block Lists to determine if email content is safe or not are not immune to these attacks,” they wrote. “Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe. It’s too big and too prevalent to block.”
It is common practice for phishing operations to capitalize on well-known brand names. In order to guarantee that messages reach an inbox, Avanan has this year detailed such attempts using QuickBooks, PayPal, and Google Docs.
AWS now makes sense as a vehicle for the public cloud. According to Synergy Research Group, it is the biggest participant in the public cloud, holding a third of the global cloud infrastructure industry, which earned approximately $55 billion in the second quarter. 65 percent of the space is made up of AWS, Microsoft Azure, and Google Cloud combined.
They cited a campaign in which a hacker used AWS to host and send phishing messages informing recipients that their passwords were about to expire. The user was instructed to click a button in the email that had the Microsoft logo to either keep or change the password.
The researchers claim that there are more methods than using AWS’ name to avoid scanners. To confound scanners, they also include strange text in the email, according to what they wrote. The text that was shown when the example mail was opened had nothing to do with the attack. It was really written in Spanish, and when translated, it refers to a price estimate for a “seismic monitoring system.”
When the user clicks the button, they are directed to a phony password reset website with the victim’s company’s domain name and most of the fields already filled in. Only the user’s password must be entered. The crooks can take the credentials if that is done.
“With an easy way into the inbox, plus a low lift from end-users, this type of attack can be quite successful for hackers,” the researchers wrote, who added that they notified Amazon of what they found.
According to Ryan McCurdy, vice president of marketing at Bolster, automation is also essential given the lack of internal expertise required to maintain continuous monitoring.
“Moreover, they do not have the relationships nor access to perform the takedowns, such as asking an internet service provider to take down a fake website, let alone have the access to underground forums and chat rooms, which is not something that can be acquired overnight,” McCurdy told The Register. “It’s critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the web, social media, app stores, and the dark web.”