Recent phishing campaigns have been spotted boosting their anti-detection efforts by using Amazon Web Services to host their landing pages. It’s a sign of a nascent trend towards using public cloud storage, according to researchers.
The attackers are also layering on various obfuscation techniques, including multibyte XOR encoding, according to the analysis, released by Proofpoint on Thursday.
In late July, a targeted phishing campaign kicked off using the branding and email formatting of DocuSign. An email asks a target to sign a document electronically. If the visitor enters their information on the DocuSign landing page, they will then be redirected to a lookalike of the webmail service they indicated, and another phishing landing will try to steal the credentials.
The DocuSign campaign has no particular vertical targeting, researchers said, but the phishing lure was only sent to a small group of people across various organizations.
“Visually, it appears as a fairly standard phishing lure for documents purporting to be shared via DocuSign,” researchers said. “While the landing page for the credential phish also convincingly resembles DocuSign in branding and overall format, it is actually a phishing template that has been commonly used over the past few years.”
What’s not so common is the fact that the landing page was hosted on Amazon S3. According to Proofpoint, this is a continuation of adversaries’ growing interest in public cloud buckets. Proofpoint has also recently documented threat actors abusing Microsoft’s Azure Blob Storage, it said.
Once decoded, it becomes clear that the phishing kit pulls remote resources from multiple websites, which have TLS certificates from Let’s Encrypt – they all trace back to a user registered as “phasephaser[@]yandex.com”.
“The actor engaging in this activity is not new to hosting on AWS, as we have observed it in similar low-volume campaigns throughout the year,” the researchers said. “All non-AWS domains have utilized Let’s Encrypt TLS certificates, and most appear to be registered with Russian domain registration services. While all phishing was hosted on AWS during this period, in some cases the actor used other public cloud infrastructure to host specific resources for the landing pages.”
Use of enterprise cloud services is still a fledgling technique, Proofpoint researchers said, and while Amazon has been responsive and “especially vigilant” in taking down abusive accounts, they warned that defenders should be aware that cloud storage is growing attack tool.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.