Full Report
Wiz Threat Research recently spotted a new phishing campaign targeting AWS accounts.
Analysis Summary
# Tool/Technique: AWS Credential Phishing Campaign (Squarespace/CloudFront/ConsolePortal)
## Overview
This describes a recent phishing campaign observed attempting to harvest AWS login credentials. The attack used a multi-stage redirection chain initiated by a phishing email containing a PNG image, leading to a lookalike AWS credential harvesting page.
## Technical Details
- Type: Technique (Credential Harvesting Phishing)
- Platform: Cloud Infrastructure (AWS), Web Browsers
- Capabilities: Credential theft via lookalike login page, multi-step URL redirection, use of legitimate services (Amazon SES, Squarespace, CloudFront) for initial hosting/delivery.
- First Seen: Recent observations from the article's publication date (implied 'Earlier this week').
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (While described as not targeted, the delivery mechanism involved an initial image/link)
- T1566.002 - Spearphishing Link
- T1583 - Infrastructure Acquisition
- T1583.001 - Domains
- T1583.004 - Compute Infrastructure (Implied use of compromised/rented AWS resources)
## Functionality
### Core Capabilities
- **Initial Lure:** Delivery via a phishing email sent through Amazon SES, embedding a PNG image that links to a Squarespace page (`https://giraffe-viola-p262.squarespace[.]com/`).
- **Redirection Chain:** Multiple redirects starting from Squarespace, through a link shortener (`https://cli[.]re/j9PQ88`), to an attacker-controlled domain (`https://console.aws.consoleportal[.]tech/`).
- **Credential Harvesting:** Presentation of a visual clone of the legitimate AWS sign-in page hosted at `https://signin.aws.consoleportal[.]tech/signin`.
### Advanced Features
- **URL Mimicry:** The final URL structure (`https://signin.aws.consoleportal[.]tech/signin?redirect_uri=...`) was designed to closely resemble the legitimate AWS URL (`https://signin.aws.amazon.com/signin?...`).
- **JavaScript Delivery:** Loading a JavaScript file from a CloudFront distribution (`https://d35uxhjf90umnp.cloudfront[.]net/index.js`).
- **Targeted Validation (Hypothesized):** The credential harvesting page reportedly threw a '400 error' unless the specific email address of the originally intended victim was entered, suggesting a degree of targeting verification or limited deployment scope.
## Indicators of Compromise
- File Hashes: [N/A or Unknown]
- File Names: [N/A or Unknown related to malicious files other than the misleading PDF structure]
- Registry Keys: [N/A]
- Network Indicators:
- Initial Link Service: `giraffe-viola-p262.squarespace[.]com`
- Link Shortener: `cli[.]re`
- Attacker Domain (Redirect): `console.aws.consoleportal[.]tech`
- Final Credential Harvesting Page: `signin.aws.consoleportal[.]tech`
- SES Sender Domain: `alchemistdigital[.]ae`
- CloudFront Resource: `d35uxhjf90umnp.cloudfront[.]net`
- Previously associated historical IPs (Namecheap): `162.0.216[.]98`
- Previously associated historical IPs (Hostinger): `185.170.198[.]250`
- Associated Lookalike Domains (based on historical IP resolution): `officequalcomm[.]com`, `webportal[.]tech`, `docshare[.]tech` (Note: These are associated infrastructure, not necessarily confirmed active parts of this exact chain).
- Behavioral Indicators: Use of Amazon SES to send phishing emails, hosting content on file-sharing sites (e.pcloud.link), browser detection of phishing activity (Chrome).
## Associated Threat Actors
- Unknown/Unconfirmed (The attack infrastructure was taken down before attribution could be completed).
## Detection Methods
- Signature-based detection: Reliance on browser security features (e.g., Google Chrome's phishing detection capability).
- Behavioral detection: Monitoring for suspicious URL redirection chains involving known shorteners or unusual domain registration patterns attempting to mimic cloud providers.
- YARA rules: [N/A]
## Mitigation Strategies
- **Disable Root Access:** Enforce Service Control Policies (SCPs) to disable root user logins for non-management accounts.
- **Phishing-Proof MFA:** Implement phishing-resistant MFA (e.g., FIDO security keys) for AWS Organization Management accounts (which may still allow root login).
- **SSO Authentication:** Enforce Single Sign-On (SSO) solutions for user access instead of relying on standalone IAM users or root logins.
- **Least Privilege:** Apply least privilege principles strictly and limit access to critical accounts (like Organization Root) to a minimal set of trusted individuals.
- **Logging:** Ensure Amazon CloudTrail is enabled to immediately assess the scope and impact of any potential credential compromise.
- **User Awareness:** Staff education regarding inspecting sender addresses and validating URLs.
## Related Tools/Techniques
- General AWS/Cloud Phishing Infrastructure (using services like Squarespace, CloudFront, SES to facilitate attacks).
- Link shortening services leveraged for obfuscation.