A recent phishing campaign that is targeting Amazon Web Services logins has been discovered by Sentinel Labs. The malicious search results were seen on January 30, 2023, and the bad ads were ranked second when searching for Aws, right behind Amazon's own promoted search result. The attackers initially linked the ad directly to the phishing page, but later added a redirection step to try and avoid detection by Google's ad fraud detection systems. This redirection takes the victim to a website that looks like a legitimate vegan food blog, but is actually under the attackers control. From there, the victim is taken to a fake AWS login page that is made to look authentic. The page also has a JavaScript function that disables right clicks, middle mouse buttons, and keyboard shortcuts, likely to prevent the victim from navigating away from the page. The Whois details used for registering the domains point to a Brazilian person, and the JavaScript code comments and variables are in Portuguese. Sentinel Labs reported the abuse to CloudFlare, who quickly shut down the account, but the malicious Google Ads remain. Google Ads have been abused by cybercriminals lately as an alternative way to reach potential victims, and have been used for phishing password manager accounts, ransomware deployment, and malware distribution. Last week, Sentinel Labs discovered a campaign that uses virtualization technology together with Google Ads to spread malware that is harder to detect by antivirus tools.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 09 Feb 2023 18:37:03 +0000