A recent phishing campaign is harvesting victims’ Amazon credentials by masquerading as an Amazon AWS Suspension notice. It’s also very convincing.
Social engineers often use large organisations as their disguise because they build trust with the victim. Trust and professionalism are two key ingredients in a successful phishing attack, this goes some way to explaining why in 2019 over half of successful phishing emails used “LinkedIn” in their subject line.
What is the scam?
The scam goes down the tried and tested route of making the victim believe that if they do not act upon what the hacker is claiming, they will lose access to an essential service. In this case, Amazon Web Services (AWS), one of the world’s largest cloud computing companies, is the mask behind which the malicious actor has chosen to hide.
The email explains that the victim’s AWS service has been suspended due to an outstanding bill and that the account can be reactivated by following the link to the payment page.
The link takes the victim to a fake AWS login page which then harvests their credentials for the hacker to retrieve later.
The email and landing page are very well put together, however, there are still some tell-tale signs which give the hacker’s game away, we will explore these below.
How to spot a fake
Take a look at the images below, although they are convincingly written and use some clever techniques, they are not perfect.
The phishing email, claiming to be from Amazon Web Services
Firstly, the email claims to be from “Amazon aws Support”, think about that for a second, “AWS” (which, aside from the logo, is always capitalised in official literature) stands for “Amazon Web Services”, so why would they write “Amazon Amazon Web Services”?
The email uses the domain “amazon.com” which, although convincing, is nothing new. This is simply “domain spoofing” and is incredibly common in phishing emails, so common in fact that we created a free Domain Spoofing Test so you can test whether your own organisation’s security settings are able to spot when an attacker tries to spoof your domain, give it a try!
Another subtle, yet telling sign is the language used for the explanation of why the account is suspended:
“Suspension Reason: Overdue on Payment”
This is simply not correct English and it highlights that if something doesn’t seem exactly right then it probably isn’t worth finding out by clicking it.
The final sentence doesn’t make sense either, as it asks the user to click “Contact Us” if their account was suspended for other reasons. The simple fact is you wouldn’t get an email saying it was suspended due to a missed payment unless you had missed the payment.
If the victim fell for the email and clicked any of the links, they would be taken to the following landing page:
The page itself is nicely laid out, and looks relatively legitimate but the key here is in the URL.
The biggest sign here is that “Not secure” warning at the beginning. This is very poor show from the hacker, AWS generates around $30 billion a year in revenue, and would never neglect for their own log-in page to be HTTPS protected (although it’s not entirely heard of for big names to miss SSL certificate expiry dates!).
The URL contains “amazon.com” which is often enough to convince many victims, but read on, it continues with “.signin.redirect.uri.new.session.13” and much more! This is NOT a real Amazon domain and extreme caution should be used any time something like the URL doesn’t seem right.
If the victim ignores all of these signs and enters their credentials, the hacker saves the details and redirects them to the real log-in page, this is very standard practice for hackers.
All of the signs above would be obvious to any user with some Security Awareness Training (SAT), they are simple checks which can be taught and practised to avoid falling for attacks like these.
At Phishing Tackle, we believe SAT is essential for all employees, we also believe it should be affordable for companies of all sizes. Check out our cost calculator to see how affordable we really are.