Hackers Use Cloned AWS Console Login Pages to Capture MFA Codes and Replay Credentials
ID: 4e39d0a1-29ce-5a97-9feb-b82e2ee94c8c
STIX ID: report--4e39d0a1-29ce-5a97-9feb-b82e2ee94c8c
Feed Name: Cyber Press
Researchers uncovered a targeted AiTM phishing campaign aimed at AWS users (primarily U.S.-based software engineers) that used cloned AWS console pages and server-driven flows to capture credentials and live MFA codes; attackers gated access by validating a base64-encoded email parameter (input_24), hosted phishing infrastructure on Cloudflare-registered domains, and routed emails through SendGrid and Nimbu to bypass filters. The kit operated as a React single-page app, proxied authentication to real AWS endpoints to determine and relay MFA challenges, and included IOCs for identified phishing subdomains.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
