Hackers Hijack AWS Accounts with AiTM Phishing & Fake Domains

A sophisticated phishing campaign is actively targeting Amazon Web Services (AWS) account holders, using deceptive security alerts to steal login credentials and bypass multi-factor authentication. Security researchers have identified a threat that leverages fake domains and a technique known as adversary-in-the-middle (AiTM) to compromise cloud administrator accounts with alarming speed. This ongoing operation underscores the critical need for heightened vigilance and robust security measures within cloud environments.

The attack begins with a convincingly spoofed email, designed to appear as an official “AWS Organization Security Email” from a sender address meant to mimic Amazon. The message warns recipients of suspicious activity within their organization’s cloud environment, urging immediate action. A link within the email directs users to a fraudulent login page hosted on a typosquatted domain. These domains are carefully crafted to resemble legitimate AWS services or internal tools, increasing the likelihood that a hurried administrator might not notice the subtle discrepancy.

Once a victim lands on the page, the AiTM framework springs into action. This setup acts as a live proxy between the user and the real AWS authentication service. Every keystroke, including usernames, passwords, and crucially, multi-factor authentication (MFA) codes, is captured in real-time by the attackers while being relayed to complete the login process. This allows the threat actors to bypass standard MFA protections seamlessly. Researchers observed one instance where the attackers authenticated to a compromised AWS account within a mere 20 minutes of the victim submitting their credentials, indicating either an automated system or an operator actively monitoring for new captures.

The consequences of a successful breach are severe and depend entirely on the compromised account’s level of access. In environments with high-level permissions, attackers could potentially view sensitive data, alter cloud resources, deploy malicious infrastructure, or create new user accounts to ensure they maintain persistent access long after the initial intrusion. The campaign’s infrastructure is designed for evasion, with domains registered just before deployment to avoid detection and takedown efforts.

Further investigation revealed that the same phishing kit administrative panel was found on servers linked to domains impersonating Microsoft 365 and Apple iCloud, suggesting the tools may be shared among different criminal groups targeting various platforms. While these specific domains were not active at the time of discovery, the connection points to a broader, adaptable threat.

To defend against such attacks, organizations must adopt a multi-layered security approach. Enforcing strong MFA protections, such as hardware security keys which are resistant to these AiTM phishing techniques, is a fundamental step. Continuous monitoring for unusual login activity, especially from unfamiliar locations or VPN exit nodes, can provide early warning signs of compromise. Perhaps most importantly, ongoing user education is essential. Employees, particularly those with cloud access, must be trained to scrutinize email sender addresses, hover over links to inspect URLs, and be skeptical of unsolicited security alerts that demand urgent action.

(Source: HelpNet Security)