Summary:
Wiz Threat Research has shed light on a new phishing campaign targeting AWS accounts. The campaign was spotted after an employee at Wiz received a phishing email containing a PNG image. The email was sent from an AWS account (likely compromised) using a spoofed email address -admin@alchemistdigital[.]ae. Notably, this domain has been identified for distributing malware. While the employee did not fall for the lure, clicking on the PNG image would redirect the victim to a Squarespace domain which would then lead to a PDF file hosted on a file-sharing site (e[.]pcloud[.]link) with a built-in PDF viewer. Researchers state that this PDF file masquerades as an invoice from AWS. Clicking on the “Invoice Summary” button within the PDF leads the end user through a chain of redirections, starting with a link shortener service and then to an attacker-controlled domain disguised as an AWS console page, before reaching the final page designed to steal user credentials.

Security Officer Comments:
The credential harvesting page identified was designed to replicate the current AWS sign-in page. To avoid suspicion, the domain name used a similar naming convention to that of the genuine login page. Researchers state that they attempted to feed credentials to the phishing page. To their surprise, the page threw a 400 error unless they entered the email address of the originally intended victim. While the idea of setting up the employee’s personal AWS account as a honeypot came up, the login infrastructure of the attacker was taken down before researchers could implement the plan and fully investigate the intent of the attacker.

Suggested Corrections:
To defend against such attacks, AWS customers have been advised to be wary of phishing emails with malicious links or attachments, disable AWS account root logins via SCP, authenticate through SSO solutions instead of IAM users or root logins to access cloud environments, implement phishing-proof MFA (e.g. FIDO security keys), and employ the concept of least privilege to minimize the impact of user compromises.

Link(s):
https://www.wiz.io/blog/emerging-phishing-campaign-targeting-aws-accounts