Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign using typosquatted domains and a reverse-proxy phishing kit to harvest validated AWS Console credentials and likely one-time passwords (OTPs). The operation used AWS SES click-tracking links, rapid infrastructure rotation, and post-compromise access from a Mullvad VPN egress node with console logins observed within 20 minutes of credential submission. #AWS #MullvadVPN
Keypoints
- Datadog observed an active AiTM credential-harvesting campaign that proxies authentication to the legitimate AWS sign-in endpoint in real time, likely capturing OTPs and session material.
- Phishing infrastructure used typosquatted domains and subdomains that mimic AWS naming and UI elements (including CloudFront-hosted assets and awsui stylesheets) to create high-fidelity sign-in clones.
- Two active phishing clusters and a related domain share the same registrar metadata (Registrar ID 3254), with Cluster 2 registered and deployed the same day it was observed, indicating rapid infrastructure rotation.
- Attackers leveraged AWS SES click-tracking (awstrack.me) and a multi-stage redirect chain to deliver and track phishing links, increasing perceived link reputation and campaign observability.
- Both phishing kit servers expose an administrative panel on TCP port 3000, likely used for real-time visibility of captures and campaign management; similar panels were linked to domains impersonating M365 and Apple.
- Within 20 minutes of credential submission, the attacker accessed the compromised AWS Console from a Mullvad VPN egress IP, suggesting automated credential testing or active operator monitoring.
MITRE Techniques
- [T1566 ] Phishing β Delivery of credential-harvesting lure impersonating AWS Security Hub. (βThe lure impersonates an AWS security notification, claiming: βAWS Security Hub has detected unusual cross-account IAM role assumption patterns within your AWS Organization.ββ)
- [T1566.002 ] Phishing: Link β Use of AWS SES click-tracking and multi-stage redirects to deliver and track the phishing URL. (βhttps://rcxm95cx.r.us-east-2.awstrack.me/L0/https:%2F%2Fpost.spmailtechnolo.com%2Fβ¦β)
- [T1036 ] Masquerading β Use of typosquatted domains and AWS-like subdomain patterns to impersonate legitimate AWS services. (βtyposquatted domains that mimic AWS infrastructure naming conventions.β)
- [T1583 ] Acquire Infrastructure β Registration and rapid deployment of multiple domains and hosting infrastructure through the same registrar. (βAll domains share Registrar ID 3254 (CNOBIN INFORMATION TECHNOLOGY LIMITED).β)
- [T1078 ] Valid Accounts β Use of stolen/harvested credentials to sign in to the AWS Console after phishing. (βWithin 20 minutes of credential submission, the attacker authenticated to the AWS Console from 185.209.196[.]132β)
- [T1539 ] Steal Web Session Cookie β Real-time reverse-proxying of authentication flows to capture session material and possibly OTPs by relaying responses between victim and legitimate AWS endpoint. (βThe kit functions as a transparent reverse proxy, forwarding credentials to the legitimate AWS endpoint in real time and relaying responses back to the victim.β)
Indicators of Compromise
- [IP Address ] Phishing kit servers β 178.16.54[.]142, 69.67.172[.]30
- [IP Address ] Attacker post-compromise access (Mullvad VPN egress) β 185.209.196[.]132
- [Domain ] Phishing and infrastructure root domains β cloud-recovery[.]net, cloud-policy[.]com (and cloud-recovery[.]us)
- [Subdomain ] Credential harvesting and product pages β signin.aws.cloud-recovery[.]net, signin.aws.cloud-policy[.]com
- [URL / Redirect ] Click-tracking and redirect chain used in lures β rcxm95cx.r.us-east-2.awstrack.me (awstrack.me), post.spmailtechnolo.com
- [Registrar ] Shared registration metadata linking clusters β Registrar ID 3254 (CNOBIN INFORMATION TECHNOLOGY LIMITED)
Read more: https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/