Summary
Netskope Threat Labs is tracking phishing campaigns that are abusing several free cloud services to host their websites and collect user information. These campaigns host their phishing sites in AWS Amplify which is available to free-tier users. Some phishing campaigns also abuse Telegram and Static Forms to collect users’ credentials. These phishing attacks aim to steal banking, webmail, and Microsoft 365 credentials, as well as victims’ card payment details. Netskope Threat Labs has reported all of the phishing domains to Amazon AWS and all of them have already been taken down.
In the last three months, Netskope Threat Labs has seen a five-fold increase in traffic to phishing pages hosted in AWS Amplify. These attacks have been targeting victims across different segments, led by the technology and finance verticals.
AWS Amplify Hosting Abuse
AWS Amplify provides a comprehensive solution that enables front-end developers to create, deploy and host full-stack applications.
AWS Amplify is easy to use and is offered on the free tier of AWS, which makes it attractive for attackers. They can easily recycle phishing pages to different accounts and environments, as Amplify gives the option to connect any code repository to deploy websites. Setting subdomains to look like legitimate services is easy as well because the environment name corresponds to the subdomain Amplify will use.
The phishing campaigns hosted on AWS Amplify target several platforms aiming to collect users’ login credentials. To trick users into providing their credentials, they used subdomain names that resemble the legitimate domain. For users to avoid this trap, they can use the URL format below to identify if the site they are visiting is hosted on AWS Amplify:
https://<environment_name>.<14_alphanumeric_string>.amplifyapp.com
Sample phishing page
A sample phishing page hosted on AWS Amplify replicated the login page of a financial institution, aiming to acquire users’ login credentials, mobile number and card payment information.
Providing login credentials will let you proceed to the next phishing stage where the victims’ mobile number will be requested. This mobile number was not used further on this phishing page so it is likely to be used in another scheme.
The phishing page does not check the mobile number’s format so any number will be accepted. The next phase of this phishing is collecting the target’s card payment details. All harvested information is then posted to a compromised website.
Static Forms abused to send phished credentials
When attackers steal credentials through a phishing page, they usually send the login information to a separate domain. They can either compromise a legitimate website, secure a newly registered domain, or use another service that can accomplish the same goal.
Some of the phishing pages hosted in AWS Amplify that Netskope Threat Labs is tracking abuse Static Forms to send the login credentials to the attacker. Static Forms is a free HTML form service that can be integrated into a website to submit collected user inputs to the registered user. This benefits the attacker as they no longer need to register a new domain or hijack a vulnerable website, they just need an email address to register to Static Forms.
Terra phishing site
Terra is a company based in Brazil that specializes in offering digital services, mobile solutions, and advertising. Attackers targeted Terra users in an attempt to collect their login credentials by mimicking Terra’s webmail login page.