Hiding a Phishing Attack Behind the AWS Cloud • The Register

Criminals slip phishing emails behind automated security scanners inside Amazon Web Services (AWS) to establish a launching pad for attacks.

Scammers have latched onto the ability for people to use an AWS service to build and host web pages using WordPress or their own custom code. From there, they can send phishing messages bearing the AWS name into corporate email systems to both bypass scanners that would typically block suspicious messages and to add greater legitimacy to trick victims, according to the provider. Avanan email security.

In a report this week, researchers from Avanan — acquired last year by cybersecurity firm Check Point — described a phishing campaign that uses AWS and an unusual syntax construct in messages to pass scanners.

“Email services that use static allow or block lists to determine whether or not email content is safe are not immune to these attacks,” they wrote. “Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe. It’s too big and too widespread to block.”

Piggybacking on well-known brands for phishing campaigns is not unusual. This year, Avanan documented such efforts by leveraging QuickBooks, PayPal, and Google Docs to ensure messages landed in an inbox.

Now the public cloud is a vehicle and using AWS makes sense. It is the largest player in the public cloud, holding a third of the global cloud infrastructure market which generated nearly $55 billion in the second quarter, according to Synergy Research Group. Together, AWS, Microsoft Azure, and Google Cloud account for 65% of the space.

“Attacks using the public cloud are becoming commonplace for many reasons, in part because the infrastructure is so transient that reputation systems can’t help. We can block ironclad hosting providers, but we don’t. can’t just block AWS,” John Bambenek, Principal Threat Hunter at Netenrich, told The register. “These services are cheap, easy to use, and can quickly up and down services. Public clouds are usually whitelisted, so IP reputation doesn’t work, and people are getting more and more used to services in public clouds, so they don’t look suspicious.”

The trend will only grow, according to Davis McCarthy, senior security researcher at Valtix.

“As the enterprise embraces multiple clouds, cybercriminals will have more options to choose from and abuse,” McCarthy said. The register. “Benefiting from the lack of visibility and disjointed topology, attack surfaces will be difficult to identify. Organizations will need to standardize security across clouds and have the ability to consolidate visibility to ensure that prevention and mitigation processes detection are implemented effectively.”

Cybercriminals “create phishing pages on AWS using site legitimacy to steal credentials,” the Avanan researchers wrote. “Emailing a link to this page is a way to bypass scanners and trick users into handing in their credentials.”

They pointed to a campaign where the cybercriminal sent a phishing message created and hosted on AWS telling recipients that their password was about to expire. The email was accompanied by a Microsoft logo and instructed the user to click a button to keep or change the password.

Using the AWS name isn’t the only tactic to bypass scanners, researchers say. They also use unusual content in the text of the email to confuse scanners, they wrote. When the example message was opened, the text was not related to the attack. Instead, it was written in Spanish that when translated it was a quote for an “earthquake monitoring system”.

When the user clicks the button, he is redirected to a fake password reset page which includes the domain name of the victim’s company and most of the fields filled in. The user is only prompted to enter their password. If done, the crooks can steal the credentials.

“With easy inbox access and low end-user uplift, this type of attack can be quite effective for hackers,” the researchers wrote, adding that they informed Amazon of what they had found.

The Avanan researchers wrote that enterprise users should hover over links to see the destination URL before clicking it and look at the content of the email before clicking it. Hank Schless, senior director of security solutions at Lookout, said The register that Secure Web Gateways (SWGs) can help identify risky behavior on the network beyond what typical scanners do. If part of a larger cloud security platform, administrators can implement more data protection tools to identify risky behavior, even if it comes from a legitimate source.

Automation is also essential given the lack of internal skills to perform continuous monitoring, according to Ryan McCurdy, vice president of marketing at Bolster.

“Furthermore, they don’t have the connections or the access to make the takedowns, like asking an internet service provider to take down a fake website, let alone have access to underground forums and chat rooms, which is not something that can be acquired overnight,” McCurdy said. The register. “It’s critical for businesses to take a platform approach and leverage automation to detect, analyze and remove fraudulent sites and content across the web, social media, app stores and the dark web. ” ®

About Dora Kohler

Check Also

The easy way to explode your online business

Starting your own website can be an exciting process. However, there are also some daunting …