Summary
Netskope Threat Labs is tracking phishing campaigns that are abusing several free cloud services to host their websites and collect user information. These campaigns host their phishing sites in AWS Amplify which is available to free-tier users. Some phishing campaigns also abuse Telegram and Static Forms to collect users’ credentials. These phishing attacks aim to steal banking, webmail, and Microsoft 365 credentials, as well as victims’ card payment details. Netskope Threat Labs has reported all of the phishing domains to Amazon AWS and all of them have already been taken down.
In the last three months, Netskope Threat Labs has seen a five-fold increase in traffic to phishing pages hosted in AWS Amplify. These attacks have been targeting victims across different segments, led by the technology and finance verticals.
AWS Amplify Hosting Abuse
AWS Amplify provides a comprehensive solution that enables front-end developers to create, deploy and host full-stack applications.
AWS Amplify is easy to use and is offered on the free tier of AWS, which makes it attractive for attackers. They can easily recycle phishing pages to different accounts and environments, as Amplify gives the option to connect any code repository to deploy websites. Setting subdomains to look like legitimate services is easy as well because the environment name corresponds to the subdomain Amplify will use.
The phishing campaigns hosted on AWS Amplify target several platforms aiming to collect users’ login credentials. To trick users into providing their credentials, they used subdomain names that resemble the legitimate domain. For users to avoid this trap, they can use the URL format below to identify if the site they are visiting is hosted on AWS Amplify:
https://<environment_name>.<14_alphanumeric_string>.amplifyapp.com
Sample phishing page
A sample phishing page hosted on AWS Amplify replicated the login page of a financial institution, aiming to acquire users’ login credentials, mobile number and card payment information.
Providing login credentials will let you proceed to the next phishing stage where the victims’ mobile number will be requested. This mobile number was not used further on this phishing page so it is likely to be used in another scheme.
The phishing page does not check the mobile number’s format so any number will be accepted. The next phase of this phishing is collecting the target’s card payment details. All harvested information is then posted to a compromised website.