Cloud Security, Email security, Vulnerability Management

Hackers steal credentials by building phishing pages on AWS

Attendees walk through an expo hall during AWS re:Invent 2021, a conference hosted by Amazon Web Services, at The Venetian Las Vegas on Nov. 30, 2021, in Las Vegas. (Photo by Noah Berger/Getty Images for Amazon Web Services)
Hackers are using Amazon Web Services to build phishing pages to avoid web filters, Avanan researchers reported. (Photo by Noah Berger/Getty Images for Amazon Web Services)

Researchers late last week found that hackers have been taking advantage of their coding knowledge by building phishing pages on Amazon Web Services.

In a Thursday blog post, Avanan researchers explained that sending a link to a phishing page via email has become a way to bypass scanners and get users to hand over credentials.

This attack demonstrates the continued usage of legitimate sites to host phishing pages, said Jeremy Fuchs, cybersecurity research analyst at Avanan, a Check Point company. Fuchs said hackers have found success in embedding phishing pages or links within sites that security scanners deem as acceptable.

Avanan notified AWS of the issue and said it would update its blog with any additional information.

“These popular sites — in this case AWS — represent a tricky proposition for security scanners,” Fuchs explained. “It's impossible to block these sites, but these attacks can't be ignored. This is where the significant use of advanced AI [artificial intelligence] and ML [machine learning] comes into play. It's critical to look at more than one factor when determining if an email is malicious or not."

Hank Schless, senior manager, security solutions at Lookout, said hosting malicious campaigns on legitimate platforms has become a favorite tactic for threat actors as organizations become more reliant on cloud technologies. Schless said attackers leverage out broad usage of hosting platforms — such as AWS and Azure, or collaboration platforms like Google Docs or Office 365 — to bypass web filters and convince targets to engage with their malicious campaigns. 

“This is the next step in social engineering as attackers expand their arsenal of effective tactics,” Schless said. “This tactic could give attackers a backstage pass to your infrastructure and enable them to launch advanced attacks like a ransomware campaign. By hiding the malware in a legitimate file type, not only do they have a better chance of bypassing filters, but the targeted individual won’t think as much about whether they should engage with the content. It’s critically important for IT and security teams to have the ability to inspect all web traffic for malware that could be hiding behind legitimate services.”

Ryan McCurdy, vice president of marketing at Bolster, Inc., said attackers want to appear credible, so creating a look-alike domain with a reputable hosting provider is in the attacker's best interest.

“The main reason that phishing scams are so convincing is that they often mimic the look of a brand or a credible person down to a very fine detail,” McCurdy said. “Hosting a look-alike domain with a reputable hosting provider is one step in appearing credible and avoiding phishing detection scanners. This trend will continue as phishing and impersonation scams become more sophisticated.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.