Amazon Expert Share-Screen Phishing Attempt Analysis and OSINT

Official AWS Support Screen Sharing Service
View Source from

Fake AWS Support Screen Sharing Landing Page

As posted at the beginning of this post the threat actor created a similar landing page as the AWS one asking for the visitor’s Session key which should have already been provided from AWS support.

Source HTML of the phishing landing page

watch for the form action
AWS form action

AmazonSOS index page

there is always an IT admin involved

Testing the AmazonSOS.exe

Next step was to see what happens once the AmazonSOS app is executed. I don’t advise anyone to run locally the AmazonSOS file unless they use a VM or a simulation service like I’ve submitted the .exe file for analysis to and I was presented the following results

behavior graph for AmazonSOS by
VirusTotal AmazonSOS.exe file analysis

Enabling SplashtopSOS unattended remote connection

Splashtop also lets you use their unattended remote support mode where the user doesn’t have to give his/her permission for a remote connection. This feature is not provided in the regular SOS app but it’s included in Splashtop’s SOS unlimited & remote connection app.


Apart from trying to analyze how this phishing attempt works, I could also gather intel regarding the domain hosting the web app which distributes the phishing .exe file.

Domain Whois

domain whois info

Domain Registrar Intel

Next thing to do is to submit the domain URL into and create a report. This is a great way to see if other scam sites are hosted under the same hosting account, domain registrant.

Other sites using the same hosting IP

Some times scammers are using Cloudflare’s NS proxy service to hide their hosting accounts IP disabling any basic fingerprinting attempts. In this case, the scammer didn’t care about hiding his other phishing and scam sites so managed to find a bunch of them using SpiderFoot OSINT services.


Bonus through

One of the sites hosted under the same IP is which looks like its hosting a mirror of the frontend.

a malicious app can be found under common2.js
past support scam schema



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


OSINT & Malware Analysis Aficionado // @makismour // Founder @WPRepublic & @FixMyWP(now sold)// WordPress Security // Eat, Drink, Net