New Phishing Campaign Attacking AWS Accounts To Steal Logins

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A phishing email containing only a PNG image was sent from a compromised AWS account using the spoofed sender address [email protected].

Clicking the image redirected victims to a malicious Squarespace domain, giraffe-viola-p262.squarespace[.]com, which subsequently led to a PDF viewer. 

The sender domain is recognized as a known malware distributor, according to open-source threat intelligence, which targets AWS accounts.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The attack starts with a malicious PDF hosted on a file-sharing site, while clicking an “Invoice Summary” link within the PDF triggers a redirect chain. 

Invoice Summary

First, it goes through a link shortener service and then to an attacker-controlled domain disguised as an AWS console page. 

Finally, it lands on a fake login page designed to steal user credentials. While Google Chrome flags this as phishing, users of other browsers or those who ignore warnings are at risk. 

A fake AWS login page that steals credentials, i.e., signin.aws.consoleportal.tech, closely resembles the real one and even uses a similar URL structure. 

To potentially gather even more information, the fake page loads JavaScript from a suspicious location. (https://d35uxhjf90umnp.cloudfront.net/index.js), while it’s unclear if this script is directly controlled by the attacker or somehow linked to their AWS resources.  

Malicious pdf

The honeypot, designed to mimic an employee’s AWS login, encountered a sophisticated phishing page that only accepted the originally targeted victim’s email address, indicating potential personalization or filtering mechanisms.

While considering using the employee’s actual account, the attacker’s infrastructure became unavailable. 

The cause remains unclear, but it could be due to the report to [email protected] or Chrome’s built-in phishing detection, which highlights the evolving tactics of attackers and the importance of layered security measures. 

To mitigate phishing risks, AWS customers should enforce strong account security by disabling root logins via Service Control Policies, implementing phishing-proof MFA using FIDO security keys for Organization Management accounts, and considering additional measures like SSO for user authentication. 

This layered approach significantly reduces the likelihood of a successful phishing attack, protecting the organization even in the face of human error. 

Enforce SSO for all cloud environment access instead of IAM users or root logins to streamline authentication management and bolster security through additional authentication measures. 

Implement least privilege principles to mitigate the risks associated with compromised user accounts by restricting access to critical resources and minimizing the number of users with elevated permissions, such as root access to AWS Organization Management accounts. 

Cloud logging services like Amazon CloudTrail are critical for effective security incident response.

By continuously recording cloud activities, these services enable security teams to pinpoint compromised resources, determine the extent of a breach, and implement targeted remediation actions. 

Investigators at Wiz identified the phishing domain consoleportal.tech, which resolved to CloudFlare.

Historical DNS data revealed previously used IP addresses from Namecheap and Hostinger, which hosted other potential phishing domains with subdomains mimicking AWS services (e.g., signin.aws.{domain}). 

A lookalike search uncovered numerous domains replicating Amazon’s login page. While ownership by the same attacker is unclear, the subdomain format and association with known phishing IPs suggest malicious intent. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces