Attackers are deploying a deceptive phishing campaign that utilizes a fake PDF incident report hosted on Amazon Web Services to manipulate users. By fabricating reports of unusual login activity, the scheme attempts to pressure victims into enabling two-factor authentication through a fraudulent interface.

Security consultant Xavier Mertens recently identified a phishing operation that leverages the infrastructure of Amazon Web Services to host deceptive content. The campaign specifically targets users of the MetaMask cryptocurrency wallet by sending them a fake security incident report. While the technical execution of the campaign is described as poorly crafted, it relies on psychological triggers to achieve its goals.

The initial contact involves a message containing a link to an AWS-hosted page which serves a PDF document titled Security Reports. This document is not inherently malicious or infected with malware, as researchers found it was generated using a standard library called ReportLab. Instead of using code to infect a device, the PDF acts as a social engineering tool designed to look like a legitimate corporate warning.

Once a user opens the file, they are presented with claims of unauthorized access or unusual activity on their account. This creates a sense of urgency and fear, which is a common tactic used to bypass a person’s natural skepticism. The primary objective is to convince the recipient that their digital assets are at risk unless they take immediate action to secure their account.

The instructions within the fake report direct users to a phishing site where they are prompted to enable two-factor authentication. By capturing the information entered into this fraudulent portal, the attackers can gain the very access they claimed to be protecting against. The use of AWS S3 buckets to host these pages helps the attackers bypass some basic security filters that might otherwise block unknown or low-reputation domains.

Despite the deceptive nature of the documents, the campaign’s lack of sophistication in its design and messaging may limit its effectiveness against more experienced users. However, the reliance on trusted cloud service providers like Amazon continues to be a growing trend among cybercriminals looking to lend an air of legitimacy to their malicious activities.

Source: Poorly Crafted Phishing Campaign Uses Fake Security Incident Report