How Phishing Attacks Have Exploited Amazon Web Services Accounts

Amazon has a massive presence across so many different countries. This has made the company a suitable target for exploitation in phishing campaigns. The target group of most phishing emails that impersonate Amazon is customers who use it on a retail level. Some of the attacks are designed to spoof customers on a business level. Recently phishing attacks have been focused on taking advantage of organizations using Amazon Web Services. The phishing emails have proven to be quite convincing. These campaigns can lead to compromise of business data of those companies which use Amazon’s cloud platform. 


This is a new cybersecurity threat in the IT space, and its effect is yet to be measured. Such cases shed light on the need for a network security engineer and a cyber security professional in every organization.


Table of Contents


  • What is AWS?
  • Phishing attacks
  • Consequences
  • Conclusion


If you want to know more about a cyber security expert’s role and responsibilities, take up cyber security training. 


What is AWS?


AWS or Amazon Web Services is an evolving, comprehensive cloud computing platform made available by Amazon. It includes a mixture of the platform as a Service (PaaS), packaged software as a service (SaaS), and infrastructure as service (IaaS) offerings. AWS’s services include organization tools such as database storage, content delivery services, and compute power. built an internal infrastructure to handle its online retail operations that were launched as AWS in 2006.AWS provided a cloud computing model that scaled to provide users with storage, computer, or throughput as per need. Also, it was one of the first companies that offered a pay-as-you-go model. 


There are many different kinds of solutions and tools offered by AWS for software developers and enterprises. The services are currently used in data centers in up to 190 countries. AWS services are employed by groups such as education institutions, government agencies, private and nonprofit organizations. Based on the user’s needs, the services provided by AWS are separated in different ways. The individual server maps and configuration options for an AWS service should be visible to users. Amazon Web Services portfolio comprises more than 100 services, including databases, computing, application development, infrastructure management, and security. The services are categorized into:


  1. Storage databases
  2. Compute
  3. Migration
  4. Data Management
  5. Hybrid Cloud
  6. Migration
  7. Development tools
  8. Networking
  9. Monitoring
  10. Management
  11. Governance
  12. Security
  13. Analytics
  14. Artificial Intelligence
  15. Big Data Management
  16. Messages and notification
  17. Mobile Development 

Phishing Attacks


One of the phishing campaigns involved attackers creating no-frills, a basic scam to get AWS users’ credentials. The emails are similar to any other regular email a customer would receive from a company like Amazon, boasting a clean and straightforward design. The emails’ message combined the right type of jargon with the right type of urgency, claiming that Amazon didn’t validate critical details. To remove account limit restriction, the recipient needs to confirm the information. The emails are intricate and thus look legitimate to even professionals. The footer contains general information, including the standard Terms of Use. A credible look-alike domain is created using a random collection of acronyms, abbreviations, and letters. This campaign used AWS to host the landing page with the identical domain name as in the From field. On the launch day of the attack, the phony AWS domain was registered through Amazon’s domain registrar. The spoofed page appeared to be legitimate when compared to the actual AWS page. The attack held credibility until the last stage. The process was redirected after the landing page captured the AWS credentials of any unsuspecting victims. Thus it was in safe hands. The campaign lasted only a few days before the fake AWS domain and malicious files were shut down on Amazon’s site. During its active phase, the scam has the potential to trick people through the use of an old yet effective social engineering hook, namely sending trigger warning to users. 


There are other types of schemes that can target AWS account holders. Another attack involved using the prevalent billing issue in which the mail claimed a due invoice for AWS, and the payment had to be done via the given link. The focus of this scam is to get a person’s financial information, including credit card data. Sending warnings ostensibly from AWS is another popular tactic. This attack involves telling the customer that their account will be blocked/restricted if the steps aren’t followed. Fake notices and fake AWS support tickets are also standard.




If an AWS account is compromised, it can damage the employer and individual in many ways. With business data, cybercriminals can carry out the following malicious acts:


  1. Ask for ransom from the organization for the data they have exfiltrated from the account. The hackers can also lock the organization out of the account.
  2. The sensitive data harvested from the account can further exploit partners, clients, or customers. 
  3. Financial data and skim money from accounts can be used to support financial service or online store
  4. An organization’s AWS account being used as a phishing platform involves exploiting the account to distribute viruses and host credential-phishing pages and other files necessary for phishing attacks. 
  5. The attackers can sabotage the organization’s business by corrupting or destroying data stored in their AWS account if not paid as per demand. 




These kinds of AWS-themed phishing attacks will be seen more in the coming time. There are chances of them getting more dangerous and more sophisticated. For protecting your organization from such attacks, it is advisable to bring your users up to speed on the latest social engineering schemes. This includes cyber security training with high-quality simulated phishing attacks. These training pieces should particularly be given to employees with cyber security certification who control vital resources and assets, such as an AWS account.


Leave a Reply

Your email address will not be published. Required fields are marked *