An attempt to phish my Amazon Web Services account

An attempt to phish my Amazon Web Services account

Most of the phishing emails I see are fairly rudimentary, often targeting users of the same-old websites (Facebook, Apple, PayPal, etc…) or a variety of online banks. It’s not that unusual for the emails to be less than convincing.

What I don’t remember receiving before is an email purporting to come from Amazon Web Services (AWS), claiming that unless I confirm I have given my correct contact information for a domain’s WHOIS record, a website I administer could be suspended.

The email is professionally presented, and might fool unwary users into clicking on the link. So the potential is definitely there (especially if you do have a server running on AWS) for credentials to be stolen.

Sign up to our free newsletter.
Security news, advice, and tips.

Aws phishing email

Fortunately my wits were about me. The email address the email was sent to was not the same one that I use for my AWS account.

But even if that hadn’t been the case, following the advice of the email and clicking on the link provided isn’t going to take anyone anywhere malicious. Why? Because the phishers malformed the link right at its beginning…

Broken link

We cannot always rely on criminals making elementary blunders with their phishing attacks, but thanks heavens some still do.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “An attempt to phish my Amazon Web Services account”

  1. Vog Bedrog

    Not to mention hitting almost every giveaway characteristic of the phishing email playbook:

    – generic salutation ('Dear customer,')
    – call to 'confirm details'
    – time limit ('within 5 days')
    – threat ('the domain has to be set on 'hold', which means it will not be useable')

    1. coyote · in reply to Vog Bedrog

      Actually there is a time limit but it's not 5 days. And if you don't react in 15 days they actually do do something; it can include locking it, suspending or even terminating it until the registrant fixes the mistake.

    2. coyote · in reply to Vog Bedrog

      Oh and when a domain is in hold it cannot be used.

  2. damoor

    “does not resolved”
    Not an English speaker!

    1. Heiko · in reply to damoor

      I would not treat this as a clear sign.

      I have seen this specific wording as a result of changes between "does not get" and "is not" when QA was failing. Even in global companies addressing large customer groups.

  3. damoor25

    Then they are also wrong, poor English.

  4. coyote

    I was thinking that it looked 'okay' (where 'okay' is very loosely defined) until the little part about 'hold'. It is true that ICANN requires the contact information to be correct and it does indeed risk the domains from being lost but what does 'usable regularly' mean? As for on hold it can't be used full stop. Also the 5 days sounded suspect to me. Looking at ICANN it's actually 15 days.

    That's in addition to the other things commentators here have already pointed out.

  5. mike

    I received the same e-mail yesterday. Except the link was not malformed. Unfortunately, I was foolish enough to click on it. I quickly closed the tab when I noticed all the weird redirects it was doing and changed all my Amazon passwords to be safe. Is there anything else I should do?

    It appears the malicious URL was going through two or three 302 redirects before doing something which I had never seen before and redirecting (without a 302) to the AWS login page.

    Is it more likely that it was intended to have the victim type its credentials? Or was it trying to steal the session cookies?

    1. Graham CluleyGraham Cluley · in reply to mike

      If you're nervous you may want to ask your favourite friendly anti-virus company to take a look at the URL to see if they can see any evidence that the pages you were taken might have tried to infect your computer, but the likelihood – I suspect – is that it was simply a phishing attack. If that's right then as long as you didn't enter your credentials you should be okay.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.