An attempt to phish my Amazon Web Services account

Graham Cluley

An attempt to phish my Amazon Web Services account

An attempt to phish my Amazon Web Services account

Most of the phishing emails I see are fairly rudimentary, often targeting users of the same-old websites (Facebook, Apple, PayPal, etc…) or a variety of online banks. It’s not that unusual for the emails to be less than convincing.

What I don’t remember receiving before is an email purporting to come from Amazon Web Services (AWS), claiming that unless I confirm I have given my correct contact information for a domain’s WHOIS record, a website I administer could be suspended.

The email is professionally presented, and might fool unwary users into clicking on the link. So the potential is definitely there (especially if you do have a server running on AWS) for credentials to be stolen.

Aws phishing email

Fortunately my wits were about me. The email address the email was sent to was not the same one that I use for my AWS account.

But even if that hadn’t been the case, following the advice of the email and clicking on the link provided isn’t going to take anyone anywhere malicious. Why? Because the phishers malformed the link right at its beginning…

Broken link

We cannot always rely on criminals making elementary blunders with their phishing attacks, but thanks heavens some still do.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

9 Replies to “An attempt to phish my Amazon Web Services account”

  1. Not to mention hitting almost every giveaway characteristic of the phishing email playbook:

    – generic salutation ('Dear customer,')
    – call to 'confirm details'
    – time limit ('within 5 days')
    – threat ('the domain has to be set on 'hold', which means it will not be useable')

    1. Actually there is a time limit but it's not 5 days. And if you don't react in 15 days they actually do do something; it can include locking it, suspending or even terminating it until the registrant fixes the mistake.

    1. I would not treat this as a clear sign.

      I have seen this specific wording as a result of changes between "does not get" and "is not" when QA was failing. Even in global companies addressing large customer groups.

  2. I was thinking that it looked 'okay' (where 'okay' is very loosely defined) until the little part about 'hold'. It is true that ICANN requires the contact information to be correct and it does indeed risk the domains from being lost but what does 'usable regularly' mean? As for on hold it can't be used full stop. Also the 5 days sounded suspect to me. Looking at ICANN it's actually 15 days.

    That's in addition to the other things commentators here have already pointed out.

  3. I received the same e-mail yesterday. Except the link was not malformed. Unfortunately, I was foolish enough to click on it. I quickly closed the tab when I noticed all the weird redirects it was doing and changed all my Amazon passwords to be safe. Is there anything else I should do?

    It appears the malicious URL was going through two or three 302 redirects before doing something which I had never seen before and redirecting (without a 302) to the AWS login page.

    Is it more likely that it was intended to have the victim type its credentials? Or was it trying to steal the session cookies?

    1. If you're nervous you may want to ask your favourite friendly anti-virus company to take a look at the URL to see if they can see any evidence that the pages you were taken might have tried to infect your computer, but the likelihood – I suspect – is that it was simply a phishing attack. If that's right then as long as you didn't enter your credentials you should be okay.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES