Many customers that use Amazon Web Services are receiving emails from postmaster@amazon[dot]com with a subject line that states “Your service has now been suspended.” Overdue bill payments, specifically a bill for $4.95 USD, is what the email claims to be the cause of the account suspension. A link is provided in the email that will take the receiver to a payment page. A transcript of the email is as follows.
This is a notification that your service has now been suspended. The details of this suspension are below:
Product/Service: Unlimited Starter
Domain: domain.com
Amount: $4.95 USD
Due Date: 10/07/2019
Suspension Reason: Overdue on Payment
You can pay now using the payment page to reactivate your service.
If your account was suspended for reasons other than non-payment of outstanding dues, contact AWS customer support Contact Us
When customers click on the link in the email, they directed to a phony website hosted on a separate domain, but in order to try and trick people, the attacker has chosen a URL that starts with aws[.]amazon[.]com. This domain mirrors the domain for Amazon Web Services but because of a redirect, it is not the authentic site. In a browser, the entire URL will be displayed which could make it easier for a victim to see the faulty address but on a mobile device, the links do not always get fully displayed making it even harder for people to identify the fake address. If a customer inputs their credentials they will be saved so they can be accessed later, and then they will be redirected to the legit AWS login page.
Analyst Notes
While it is normal to trust an email like the ones involved in this campaign because they are coming from what looks like a legitimate Amazon email domain, customers should remember that email addresses can be spoofed. URLs should always be observed prior to providing account details. Mobile users should press the link until they are able to see the complete URL.