Login
Get a Demo
Become a Partner
SOCRadar® Cyber Intelligence Inc. | Hackers Utilize AWS to Launch Phishing Attacks
Table Of Content
Home

Resources

Blog
Ağu 23, 2022
2 Mins Read

Hackers Utilize AWS to Launch Phishing Attacks

Phishing attacks are being launched by hackers using a tactic called Static Expressway. The newly-spread tactic lets hackers get their emails past Amazon Web Services (AWS) automated security scanners. 

Email security provider Avanan claims that scammers can send phishing emails, including the Amazon Web Services’ name, into corporate email systems to get past scanners that otherwise would block suspicious communications and give extra validity to fool targets. 

Researchers cited an instance of a tactic in which a cybercriminal used AWS to create and host a phishing message informing receivers that their password would soon expire. The user was instructed to click a button in the email with the Microsoft logo to maintain or change the password.

(Phishing message that looks like a typical email about password expiration, Source: Avanan)

The Static Expressway Technique

Attacks utilizing the Static Expressway technique have increased significantly recently. This technique lets threat actors enter inboxes by piggybacking on legitimate services.

Attacks leveraging the Static Expressway technique can also affect email services that use static allowlists. Some services are seen as secure in the static allowlist by default, and some services, such as Google, cannot even be blocked. Because a phishing email hosted by Amazon Web Services will be perceived as secure, it can pass the static solution.

The user’s domain and logo are visible when a user clicks on a malicious link sent by the threat actor. The technique is too widespread to be blocked all at once, and for the hacker to succeed, the user only needs to put minimal effort into entering their password.

(Malicious phishing page hosted on AWS, Source: Avanan) 

Security Tips to Prevent These Attacks

  • Test the destination before clicking on an URL. It can be done by hovering over it. 

  • Encourage end users to contact IT to confirm the legitimacy of an email. 

  • Encourage end users to see finance details before acting on a suspicious-looking request.
Related Articles
SOCRadar® Cyber Intelligence Inc. | Major Cyber Attacks in Review: March 2024
Major Cyber Attacks in Review: March 2024
Nis 16, 2024
SOCRadar® Cyber Intelligence Inc. | Cyber Reflections of Iran's Attack on Israel
Cyber Reflections of Iran's Attack on Israel
Nis 15, 2024
SOCRadar® Cyber Intelligence Inc. | Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)
Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)
Nis 15, 2024
SOCRadar® Cyber Intelligence Inc. | Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Nis 12, 2024
SOCRadar® Cyber Intelligence Inc. | Microsoft’s April 2024 Patch Tuesday, 149 Vulnerabilities Patched, Including 2 Zero-Day Vulnerabilities
Microsoft’s April 2024 Patch Tuesday, 149 Vulnerabilities Patched, Including 2 Zero-Day Vulnerabilities
Nis 10, 2024