Amazon Expert Share-Screen Phishing Attempt Analysis and OSINT

https://screenshares-amazon.com/

Official AWS Support Screen Sharing Service

https://screenshare.amazonaws.com/
View Source from screenshare.amazonaws.com

Fake AWS Support Screen Sharing Landing Page

As posted at the beginning of this post the threat actor created a similar landing page as the AWS one asking for the visitor’s Session key which should have already been provided from AWS support.

Source HTML of the phishing landing page

watch for the form action
AWS form action

AmazonSOS index page

there is always an IT admin involved

Testing the AmazonSOS.exe

Next step was to see what happens once the AmazonSOS app is executed. I don’t advise anyone to run locally the AmazonSOS file unless they use a VM or a simulation service like any.run. I’ve submitted the .exe file for analysis to any.run and I was presented the following results

behavior graph for AmazonSOS by any.run
VirusTotal AmazonSOS.exe file analysis

Enabling SplashtopSOS unattended remote connection

Splashtop also lets you use their unattended remote support mode where the user doesn’t have to give his/her permission for a remote connection. This feature is not provided in the regular SOS app but it’s included in Splashtop’s SOS unlimited & remote connection app.

OSINT for screenshares-amazon.com

Apart from trying to analyze how this phishing attempt works, I could also gather intel regarding the domain hosting the web app which distributes the phishing .exe file.

Domain Whois

domain whois info

Domain Registrar Intel

Next thing to do is to submit the domain URL into urlscan.io and create a report. This is a great way to see if other scam sites are hosted under the same hosting account, domain registrant.

Other sites using the same hosting IP

Some times scammers are using Cloudflare’s NS proxy service to hide their hosting accounts IP disabling any basic fingerprinting attempts. In this case, the scammer didn’t care about hiding his other phishing and scam sites so managed to find a bunch of them using SpiderFoot OSINT services.

  • se1c-s0co31.com
  • help-revolut.com
  • securecentre-uk.com
  • spotifyclient.com
  • barclaycard-ukgbservices.eveningheadlines.com

Bonus through dofus-crowns.com

One of the sites hosted under the same IP is dofus-crowns.com which looks like its hosting a mirror of the ankama.com frontend.

a malicious app can be found under common2.js
past support scam schema

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Makis

Makis

OSINT & Malware Analysis Aficionado // @makismour // Founder @WPRepublic & @FixMyWP(now sold)// WordPress Security // Eat, Drink, Net