In this article we take a look at a phishing campaign that pretends to be an Amazon AWS suspension notice for unpaid bills that looks good enough to trick many users.
A billing notice from a vendor, especially one like Amazon, that states that your account has been suspended for unpaid bills, may confuse a user enough to click on the email link.
Attackers are capitalizing on this confusion by sending emails that pretend to be from Amazon AWS Support at email@example.com and that use a subject of “Your service has now been suspended”.
This email states that your account has been suspended because you are “Overdue on Payment” for a bill of $4.95 USD. It then prompts you to click on the “payment page” link to reactivate the service.
The full text of this email is shown below.
This is a notification that your service has now been suspended. The details of this suspension are below: Product/Service: Unlimited Starter Domain: domain.com Amount: $4.95 USD Due Date: 10/07/2019 Suspension Reason: Overdue on Payment You can pay now using the payment page to reactivate your service. If your account was suspended for reasons other than non-payment of outstanding dues, contact AWS customer support Contact Us
When you click on embedded link you will be brought to a fake Amazon AWS login page located at a site whose URL starts with aws.amazon.com, but is actually hosted on a different domain. If you are viewing the email on mobile, the full link won’t be shown and users may be more easily confused.
When a victim enters their credentials, the information will be saved for the phishers to retrieve later so that they can access your account. The user will then be redirected to the legitimate AWS login page.
While some users may have felt that the emails are safe because they are coming from a legitimate Amazon email address, it is always important to remember that the From email address can always be spoofed to be from any account an attacker wants.
Therefore, even if a phishing email looks legitimate, it is important to pay attention to the URLs of the landing pages before entering your login credentials in a displayed login form. If you are on mobile, you can press on the link until the full URL is displayed to make sure its not a fake landing site.