Amazon Expert Share-Screen Phishing Attempt Analysis and OSINT
While following the phishing team at keybase I noticed that one of the members under the nickname n0p1shing. He noted that he found the following landing page under domain screenshares-amazon.com which seemed like hosting an Amazon Support Screen-Sharing Service.
So, I thought it was a good opportunity to start searching for this phishing attempt and reveal any elements included in it.
Official AWS Support Screen Sharing Service
Amazon is providing live help for some of their services through an AWS Support Screen Sharing page. The procedure for allowing support is very simple, users receive a Session Key from an AWS Support Representative which they can later submit and share through the AWS Screenshare service.
The software behind AWS Support Screen Sharing is developed by Bomgar, a remote support provider that allows support technicians to remotely connect to end-user systems through firewalls from their computer or mobile device.
Fake AWS Support Screen Sharing Landing Page
As posted at the beginning of this post the threat actor created a similar landing page as the AWS one asking for the visitor’s Session key which should have already been provided from AWS support.
When first researching for the way this phishing scam work I couldn’t find any direct exploit just by using or abusing their AWS support session key. Then I did the obvious; took a closer look at the landing page source code and searched for any scripts or forms loaded behind it.
Source HTML of the phishing landing page
Form’s action was to post a page called dologin.php under site root, if you visit this page then your browser will be forced through a pop-up to download a .exe file under the name of AmazonSOS.exe.
Below I’m attaching a screenshot of Amazon’s original Support Screen Sharing service, you can see the difference in the form action which in this example is redirected to a different page not containing any pop-up or file downloads.
AmazonSOS index page
Reading the index page I noticed that the scammer provides some instructions on how to use the .exe file. They guide you to download and open this file and afterwards share the 9-digit number shown in the app to your IT admin.
No matter what Session key you provide you’ll always be redirected to the index page and asked to (re)download the app and repeat the loop.
Testing the AmazonSOS.exe
Next step was to see what happens once the AmazonSOS app is executed. I don’t advise anyone to run locally the AmazonSOS file unless they use a VM or a simulation service like any.run. I’ve submitted the .exe file for analysis to any.run and I was presented the following results
I’ve also submitted the .exe file to VirusTotal and got the following results.
If you follow the VirusTotal link you can see that AmazonSOS.exe is actually a variation of the SplashtopSOS on-demand support app which allows IT services to set up a remote connection with their clients. SplashtopSOS can share a desktop between users, enable File Transfering, reboot and reconnect the device, record and watch in real-time a session.
Enabling SplashtopSOS unattended remote connection
Splashtop also lets you use their unattended remote support mode where the user doesn’t have to give his/her permission for a remote connection. This feature is not provided in the regular SOS app but it’s included in Splashtop’s SOS unlimited & remote connection app.
OSINT for screenshares-amazon.com
Apart from trying to analyze how this phishing attempt works, I could also gather intel regarding the domain hosting the web app which distributes the phishing .exe file.
The domain’s registrant contact info doesn’t look very promising; the domain was registered only one day ago(December 27th), name and address are definitely not real while the registrant email domain has been used many times in forum spam activities.
In fact, this is one of those cases where someone can file a report for domain whois inaccuracy with ICAAN and bring down the domain without any further help from the domain registrar and site hosting services.
Domain Registrar Intel
Next thing to do is to submit the domain URL into urlscan.io and create a report. This is a great way to see if other scam sites are hosted under the same hosting account, domain registrant.
Based on URLScan.io report for screenshares-amazon.com domain’s registrar name is Shinjiru MSC Sdn BhdI operating under AS45839. The registrar is located in Malaysia and hosts several other sites using similar scam tactics, here are a few of them:
Other sites using the same hosting IP
Some times scammers are using Cloudflare’s NS proxy service to hide their hosting accounts IP disabling any basic fingerprinting attempts. In this case, the scammer didn’t care about hiding his other phishing and scam sites so managed to find a bunch of them using SpiderFoot OSINT services.
Below we’re attaching some of those sites showing that he seems to be operated by the same person or schema using ilovewww.com as their preferred domain registrar.
Bonus through dofus-crowns.com
One of the sites hosted under the same IP is dofus-crowns.com which looks like its hosting a mirror of the ankama.com frontend.
Browsing through all the public access directories and files of this site I finally reached to file under the name of avatar.html.tmp.
It’s more than obvious that this kind of scams are widespread and fine-tuned to trick novice users and take control of their PC or mobile device through trojans or phone scams.
Even though this is the end of the analysis of screenshares-amazon.com phishing scam I will come back and update this post once Splashtop support submits a reply to our ticket asking ways other than the ones we covered where someone can access remotely and unattended a device using their app.