Cybercriminals prefer to use legitimate sites and services in their phishing scams, not just to trick unsuspecting victims but to sneak past security scanners that would otherwise block traffic from a suspicious site. In a report released Thursday, email security provider Avanan describes a new phishing campaign that takes advantage of Amazon Web Services.
As one of the most popular cloud storage and hosting products, AWS is a tempting target for cybercriminals, especially since it lets anyone create and host webpages. The service allows you to design and host a website using either WordPress or your own custom code. But just as legitimate users can tap into AWS so can malicious attackers.
How attackers are using AWS
In the scheme analyzed by Avanan, cybercriminals have been building phishing pages on AWS. By sending a link to such a page through a phishing email, the scammers are able to bypass security tools and convince the recipient to share credentials for sensitive accounts.
In one example, the attacker uses a phishing page created and hosted through AWS to warn people about an alleged password expiration. Impersonating Microsoft, complete with a Microsoft logo, the phishing email claims that the user’s password will expire today and prompts them to click on a button to keep the same password.
Clicking on the button takes the user to the phishing page set up with a phony login prompt. The page even includes the domain name for the victim’s company and populates most of the fields. The user is asked only to enter their password, which is then harvested by the people behind the attack.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Why this phishing attack works
This type of scam often succeeds because the attacker knows how to thwart the usual security defenses. Traditional email security tools use static Allow and Block lists to determine if the content is legitimate by analyzing the linked website. As a prominent website and service, Amazon Web Services will always be on the Allow list, letting the phishing email reach the user’s inbox.
Avanan said it notified AWS of its findings and will provide further updates with any additional details.
How to avoid falling victim to this scam
To protect your organization and employees against these types of phishing attacks, Avanan offers the following tips:
- Always hover over any link in an email to see the destination URL before you click on it
- Always scrutinize the content of the email before taking any action
- Encourage employees to contact the help desk or IT support if they’re unsure about the legitimacy of an email
- Scan all hyperlinks in incoming email messages at delivery and at click time to determine if they’re malicious
- Don’t depend only on Block or Allow lists, especially since attackers continue to exploit legitimate sites and services to evade these lists
- Turn to advanced AI that examines multiple factors to determine whether an email is legitimate or malicious
- Implement advanced email security that can analyze the nature of an email message and ascertain its true intent