Phishing campaign abusing Google ads to target AWS logins

Published February 14, 2023
Author: Ash Khan

Phishing campaign abusing Google ads to target AWS logins

Published February 14, 2023
Author: Ash Khan

A new phishing scheme is aiming at AWS logins using Google Ads to insert phishing sites into Google Search to acquire users’ credentials.

 

cybersecurity website identified the campaign after researchers saw fraudulent search results on January 30, 2023. When searching for “AWS,” malicious advertising came in second, just after Amazon’s own sponsored search result.

 

Initially, the threat actors directed the Google ad to a phishing page. However, they then added a redirection step, most likely to avoid detection by Google’s ad fraud detection algorithms.

 

The malicious Google advertisements direct the victim to a blogger’s website under the attacker’s control. Furthermore, they were using a domain name”us1-eat-a-w-s.blogspot[.]com” which is a forgery of a real vegan cuisine blog.

 

Sorting stolen information

The site employs ‘window.location.replace’ to immediately redirect the victim to a new domain that hosts the forged AWS login page.  The victim specifies whether they are a root or IAM user before entering their email address and password. Additionally, this option assists threat actors in classifying stolen data into two categories: value and utility.

 

Sentinel Labs discovered the following phishing domains:

aws1-console-login[.]

us

aws2-console-login[.]

xyz

aws1-ec2-console[.]com

aws1-us-west[.]info

It is interesting that the creators of the phishing sites have added a JavaScript method. Furthermore, which disables right-clicking, center-mouse clicking, and keyboard shortcuts.

According to the security service website, this is a method to prevent visitors from leaving the website on purpose or by accident.

Moreover, the online security website claims, Portuguese is utilized as a language in the JavaScript code comments and variables. Furthermore, the root page of the blogger site is modeled after a Brazilian dessert shop. Finally, the Whois information used to register the domains points to a Brazilian individual.

 

Sentinel Labs reported the abuse to CloudFlare, which protected the phishing sites, and the account was swiftly terminated. The harmful Google Ads, on the other hand, persist even if the sites they link to are no longer accessible.

A range of hackers has recently exploited Google Ads as an alternative way of contacting potential victims through Google.

These ads have recently been used to steal password manager accounts, and gain initial network penetration for ransomware deployment. Additionally, to distribute malware disguised as legitimate software applications. The security lab found the campaign that transmitted malware using Google Ads and virtualization technology.

 

Post Views: 242
0

Popular Tags

API Integration Branding Services Business Cloud Backup storage cloud storage Cloud VPS Server Hosting Database Services Digital Marketing eBay Store Email Hosting Email Marketing & CRM Email security Explainer Video Facebook Ads Fast Vpn FTP hosting GMAIL Google Ads Google Workspace hacked website repair IT Support Services Linux Managed AWS Cloud Managed Azure Cloud Microsoft 365 Microsoft Office 365 Microsoft Teams Integration mobile apps Outlook email Reseller Hosting SEO Services Server Management SIM Hosting Service SMS Services Social Media Marketing SQL Services Transfer Domain Name Vulnerability Assessment web applications Web Hosting Web Maintenance Website Designing website repair services Website Security Wordpress Hosting

Latest Posts