Crooks Leverage AWS in Deceptive Email Campaigns


  • Cybercriminals are adopting advanced phishing tactics, using legitimate services like Amazon Web Services (AWS) to launch convincing attacks that bypass traditional security measures.
  • The Check Point report highlights the emergence of Business Email Compromise 3.0 (BEC 3.0), where attackers host phishing sites on AWS S3 Buckets to send seemingly genuine emails with phishing links.
  • Hackers manipulate users with social engineering and credential harvesting, often posing as password reset requests, leading victims to click on AWS S3 Bucket URLs that redirect to fake login pages.
  • Phishing attempts rely on exploiting human behaviour and urgency associated with password resets, making it crucial for users to scrutinize email URLs and remain cautious.
  • To counter this threat, cybersecurity experts recommend implementing multi-indicator phishing detection systems, and comprehensive security measures including document scanning, and URL protection mechanisms.

Cybercriminals are now leveraging legitimate services to launch highly convincing phishing attacks that evade traditional security measures. A recent report from cybersecurity firm Check Point’s subsidiary Avanan has revealed that hackers are now utilizing Amazon Web Services (AWS) as a platform for sending out phishing links, adding a new layer of sophistication to their deceptive campaigns.

Phishing attacks have long been a menace in the digital landscape, but the latest trend involves hackers exploiting reputable services to slip through the cracks of cybersecurity defences. This tactic has been previously witnessed with services such as Google, QuickBooks, and PayPal, where attackers create accounts and send out seemingly genuine emails directly from these platforms, making them difficult to identify and block.

The Check Point Harmony Email researchers shed light on how hackers are now using AWS to facilitate their phishing endeavours. In this novel attack variant, cybercriminals are hosting phishing sites on AWS S3 Buckets, which are legitimate storage containers within AWS. This approach allows the attackers to send emails containing phishing links that appear convincingly genuine, as they originate from AWS S3 Buckets.

The attack method, known as Business Email Compromise 3.0 (BEC 3.0), relies heavily on social engineering and credential harvesting techniques to manipulate users into divulging their sensitive information.

The phishing email typically mimics a password reset request, a familiar scenario that prompts users to take action. While some users might be cautious and recognize the email as suspicious due to sender address discrepancies, the attackers cunningly employ AWS S3 Bucket URLs to redirect victims to seemingly legitimate login pages.

Upon clicking the link, victims are led to a webpage that bears the hallmarks of a Microsoft login page, complete with pre-populated email addresses and password fields. While this technique requires a slightly more advanced skill set from the attackers, it remains accessible enough for the average cybercriminal to execute.

The phishing email and phishing login page aim at the login credentials of Microsoft users. (Screenshot: Avanan)

The ultimate goal is to obtain victims’ login credentials, granting the attackers unauthorized access to sensitive accounts and potentially confidential information. According to a blog post published by Jeremy Fuchs of Avanan, users can protect themselves against these increasingly sophisticated attacks by paying close attention to the URLs presented in the emails.

However, the attackers’ well-crafted scenarios and the common urgency associated with password resets can often lead users to disregard this caution. This reliance on human behaviour is precisely what the hackers are banking on, as it offers them a higher chance of success.

In response to this emerging threat, Check Point researchers promptly alerted Amazon about the campaign on July 25th. To mitigate the risks associated with such attacks, cybersecurity professionals are advised to adopt multi-indicator phishing detection systems, implement comprehensive security measures that extend to document scanning and incorporate URL protection mechanisms.

  1. Google Drive accounted for 50% of malicious Office Docs downloads
  2. LinkedIn Phishing Scam Steals Gmail Credentials Through Google Docs
  3. Google Docs Phishing Scam Cost Minnesota State Thousands of Dollars
  4. Royal Ransomware: New Threat Uses Google Ads and Cracked Software
  5. Research sector targeted in new spear phishing attack using Google Drive



Source link