Threat Research

Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins

Securonix

Malicious Google Ads were used to promote AWS credential phishing pages, delivered through a multi-hop redirection chain that ends at a legitimate AWS login page. The operation includes a proxy Blogspot page, anti-analysis JavaScript, and Brazil-linked infrastructure to harvest AWS credentials. Hashtags: #GoogleAds #AWS

Keypoints

  • Malvertising campaign drives credential phishing for AWS via Google Ads, identified in late Jan 2023.
  • Ad traffic first hits an actor-controlled hop domain, then redirects to the actual phishing page on a second domain.
  • Campaign shifted to a Blogspot proxy (us1-eat-a-w-s.blogspot[.]com) to evade automated ad-detection before redirecting to aws1-console-login[.]us/login.
  • Phishing pages display a spoofed AWS login, culminates in a final redirect after credential submission to the legitimate AWS login page.
  • Phishing pages employ anti-analysis JavaScript (disable right-click/middle-click, shortcut disable) and multilingual elements (Portuguese) with copied code from legitimate sites.
  • Infrastructure ties include CloudFlare-protected domains later moved to AWS hosting; Brazil-linked WHOIS details and a registrant email point to pedrolimasantos065@gmail[.]com.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Link – The attackers deliver credential phishing via malicious Google Ads that lead users to a phishing page. Quote: “The ad itself goes to a hop domain… This first hop then redirects to the actual credentials phishing page.”
  • [T1036] Masquerading – The attacker uses a copy of a legitimate site (e.g., a vegan blog) and a blogger domain to masquerade the phishing page. Quote: “The content of the us1-eat-a-w-s.blogspot[.]com website is a copy of a legitimate vegan food blog.”
  • [T1056.003] Input Capture: Web Form – Credentials are entered on a spoofed AWS login form and later redirected after submission. Quote: “After the user enters their credentials, the final zconfig01.php page is loaded.”
  • [T1562.001] Impair Defenses – Disable/modify browser features to hinder analysis (disable right-click and middle-click). Quote: “A JavaScript function disables the right-click context menu and middle mouse button click on the web page.”
  • [T1036] Masquerading – Reuse of legitimate site design/code and domain masquerading to appear legitimate. Quote: “root page of the blogger domain mimics a legitimate Brazilian dessert business.”

Indicators of Compromise

  • [Domain] Malicious domains used in the campaign – us1-eat-a-w-s.blogspot[.]com, aws1-console-login[.]us, aws2-console-login[.]xyz, aws1-ec2-console[.]com, aws1-us-west[.]info
  • [IP Address] Hosting for phishing pages – 54.214.158.248, 35.167.172.179
  • [Email] Registrant contact – pedrolimasantos065@gmail[.]com

Read more: https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/