Fake Amazon Web Services Billing Notification Used in Credential Theft Attempt
In this phishing attack, cybercriminals use a spoofed address to impersonate Amazon Web Services (AWS) and deliver a fraudulent billing statement. The email, with the subject line “Amazon Web Services Billing Statement Available,” claims that the recipient owes $18.60 for the latest billing period. The message instructs the target to click a link to visit the Billing & Cost Management page for a full breakdown of charges. However, should the target click the embedded link, they will be redirected to a malicious website designed to steal AWS credentials or other sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, doesn’t use any attachments, and originates from a sender the recipient hasn’t interacted with before. Modern, AI-powered email security solutions flag that the sender domain does not match any domains in the message, detect the presence of links leading to suspicious domains, and recognize common language utilized in financial theft scenarios to correctly identify this email as an attack.
Phishing email disguised as billing notification from Amazon Web Services (AWS)
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Financial Theft Language: The email contains language that may be attempting to steal money from the recipient, a common tactic identified by Abnormal’s content analysis and NLP algorithms to detect potential financial fraud.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.