Many customers that use Amazon Web Services are receiving emails from postmaster@amazon[dot]com with a subject line that states “Your service has now been suspended.” Overdue bill payments, specifically a bill for $4.95 USD, is what the email claims to be the cause of the account suspension. A link is provided in the email that will take the receiver to a payment page. A transcript of the email is as follows.

This is a notification that your service has now been suspended. The details of this suspension are below:

Product/Service: Unlimited Starter

Domain: domain.com

Amount: $4.95 USD

Due Date: 10/07/2019

Suspension Reason: Overdue on Payment

You can pay now using the payment page to reactivate your service.

If your account was suspended for reasons other than non-payment of outstanding dues, contact AWS customer support Contact Us

When customers click on the link in the email, they directed to a phony website hosted on a separate domain, but in order to try and trick people, the attacker has chosen a URL that starts with aws[.]amazon[.]com. This domain mirrors the domain for Amazon Web Services but because of a redirect, it is not the authentic site. In a browser, the entire URL will be displayed which could make it easier for a victim to see the faulty address but on a mobile device, the links do not always get fully displayed making it even harder for people to identify the fake address. If a customer inputs their credentials they will be saved so they can be accessed later, and then they will be redirected to the legit AWS login page.