Hiding a phishing attack behind the AWS cloud

Criminals are slipping phishing emails past automated security scanners inside Amazon Web Services (AWS) to establish a launching pad for attacks.

Scammers have latched onto the ability for people to use an AWS service to build and host web pages using WordPress or their own custom code. From there they can send phishing messages carrying the AWS name into corporate emails systems to both get past scanners that typically would block suspicious messages and to add greater legitimacy to fool victims, according to email security vendor Avanan.

In a report this week, researchers with Avanan – acquired last year by cybersecurity company Check Point – outlined a phishing campaign that uses AWS and unusual syntax construction in the messages to get past scanners.

"Email services that use static Allow or Block Lists to determine if email content is safe or not are not immune to these attacks," they wrote. "Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe. It's too big and too prevalent to block."

Piggybacking on well-known brand names for phishing campaigns isn't unusual. Avanan this year has documented such efforts leveraging QuickBooks, PayPal, and Google Docs to ensure messages land in an inbox.

Now the public cloud is a vehicle and using AWS makes sense. It is the largest public cloud player, owning a third of a global cloud infrastructure market that generated almost $55 billion in the second quarter, according to Synergy Research Group. Combined, AWS, Microsoft Azure, and Google Cloud account for 65 percent of the space.

"Attacks using public cloud is becoming my common for many reasons, in part because infrastructure is so transient, reputational systems cannot help. We can block bulletproof hosting providers but we can't just block AWS," John Bambenek, principal threat hunter at Netenrich, told The Register. "These services are cheap, easy to use, and can spin up and down services quickly. Public clouds are usually whitelisted, so IP reputation doesn't work, and people are getting more and more used to services in public clouds so they don't look as suspect."

The trend will only grow, according to Davis McCarthy, principal security researcher at Valtix.

"As the enterprise embraces the multiple clouds, cybercriminals will have more options to choose from and abuse," McCarthy told The Register. "Benefiting from the lack of visibility and the disjointed topology, attack surfaces will be difficult to fingerprint. Organizations will need to standardize on security across clouds and have the ability to consolidate visibility to ensure prevention and detection processes are implemented efficiently."

Cybercriminals are "creating phishing pages on AWS using the site's legitimacy to steal credentials," Avanan researchers wrote. "Sending a link to this page via email is a way to bypass scanners and get users to hand over credentials."

They pointed to a campaign where the cybercriminal sent a phishing message created and hosted on AWS telling recipients that their password was about to expire. The email came with a Microsoft logo and told the user to click on a button to either keep or change the password.

The use of AWS' name isn't the only tactic for getting past the scanners, according to the researchers. They also use unusual content in the email's text to confuse scanners, they wrote. When the message in the example was opened, the text wasn't related to the attack. Instead, it was written in Spanish that when translated talks about a price quote for an "earthquake monitoring system."

When the user clicks on button, they're taken to a fake password reset page that includes the domain name of the victim's company and most of the fields populated. The user is asked only to type in their password. If that's done, the scammers can steal the credentials.

"With an easy way into the inbox, plus a low lift from end-users, this type of attack can be quite successful for hackers," the researchers wrote, who added that they notified Amazon of what they found.

Avanan researchers wrote that enterprise users need to hover over links to see the destination URL before clicking on it and look at the email content before clicking on it. Hank Schless, senior manager of security solutions at Lookout, told The Register that Secure web gateways (SWGs) can help identify risk behavior on the network beyond what typical scanners do. If part of a larger cloud security platform, administrators can implement more data protection tools to identify risk behavior, even if it's coming from a legitimate source.

Automation also is key given the lack of in-house skills to run continuous monitoring, according to Ryan McCurdy, vice president of marketing at Bolster.

"Moreover, they do not have the relationships nor access to perform the takedowns, such as asking an internet service provider to take down a fake website, let alone have the access to underground forums and chat rooms, which is not something that can be acquired overnight," McCurdy told The Register. "It's critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the web, social media, app stores, and the dark web." ®