Sorry to go on about AWS but I am having a hard time ignoring them.

Today I received an email that blew my mind. It was confidently flagged as spam by my ISP.

X-Spam-Status: Yes, hits=4.9 required=3.5
tests=DCC_CHECK,DKIM_ADSP_ALL,DKIM_SIGNED,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
REMOVE_BEFORE_LINK,SPF_SOFTFAIL,T_DKIM_INVALID
autolearn=disabled version=3.004001
X-Spam-Flag: YES

The subject was a bit too good to be true. Certainly good enough to be suspicious.

Subject: Share your feedback and receive $25 in AWS credits

Basically, give us your AWS credentials and we’ll give you free money!

Here’s the main content.

At Amazon Web Services, we’re focused on finding ways to improve our products and provide a better customer experience. To do that, we need your feedback. We’re hoping that you’ll take 5-10 minutes of your time to share insights regarding your experience using Amazon Web Services. To thank you for your time, those who complete this survey will receive $25 in AWS credit.

Take the Survey

Well Amazon, consider this post my feedback.

Ok, no Nigerian spelling but look at the href URL that "Take the Survey" activates.

http://aws.asia.qualtrics.com/SE/.....

I left out a bunch of CGI arguments, but it’s the domain that is interesting here. What was really shocking to me was that the body of the mail contained no fewer than eight different domains associated with the putative sender!

  • amazon.com

  • mktdns.com

  • mktomail.com

  • aws.asia.qualtrics.com

  • mkto-sj060051.com

  • media.amazonwebservices.com

  • na-sj06.marketo.com

  • rmeuaotk.emltrk.com

This is fairly ridiculous.

Then just like a next generation Nigerian scam it went on to allay the mark that although it stinks, it is in fact genuine because the email itself says so.

This survey is hosted by an external company (Qualtrics), so the link above does not lead to our website.

It seriously says that!

If this is not fake, they’re teaching us that legitimate AWS email might arrive from anyone and that we should trust any miscellaneous links therein.

When I sent this email to aws-security@amazon.com and stop-spoofing@amazon.com to find out if it was fake, they concurred by replying with this very sensible automated response.

In all likelihood, the message you received was not sent to you by Amazon.com. We strongly advise that you not send any information about yourself back to this individual (especially your credit card number or any personal information).

In the future, if you are ever uncertain of the validity of an e-mail, even from us, don’t click on any supplied links—instead, type our web site address "www.amazon.com" directly into your browser and follow the regular links to Your Account. Many unscrupulous spoofers mislead consumers by displaying one URL while taking the visitor to another.

By typing in a well-known address you can avoid this trick.

Of course by not using HTTPS you also set yourself up for this trick but I’ll save that discussion for later.

The only thing about this email that seems legit is that my ISP received it from an AWS mail relay. This makes me wonder if it is possible for a third party to use an AWS mail relay. Anyone who clicks on anything in this mail is putting a lot of faith in the idea that this internet services company doesn’t offer this particular internet service.

Received: from mm-notify-out-1104.amazon.com
    (mm-notify-out-1104.amazon.com [207.171.164.41])

It’s hard to say just how spoofable these Received headers are but if one must pick apart the mail headers to get a sense of legitimacy I fear that the ship has sunk.

Eventually I got a personal response back from aws-security@amazon.com. Incredibly, this email is actually legitimate!

Thanks for taking the time to reach out to AWS Security. We’ve taken a look at the email you provided and can confirm that it is a legitimate survey sent by AWS.

Amazon has just trained us that they make money-for-nothing offers in unsolicited email filled with awkward unknown suspicious URLs. One would reasonably expect the only way to collect the bait, I mean "reward", is to put in your AWS account details. Can you think of a more perfect setup for a phishing attack? Not just any phishing attack, but a phishing attack targeting extraordinary amounts of untraceable cryptocoin which can be effortlessly converted to cash.

Amazon can claim they’re doing nothing wrong, but this is like a salesperson at Walmart saying, "Meet me in the dark alley at midnight and I can sell you this TV." They might have completely legitimate reasons for doing that and they might not fear for their safety, but it’s incredibly tone deaf to expect customers to not be leery.

I will summarize Amazon’s problem by outlining the simple steps needed to become a big dollar internet criminal. Basically you just need to hire Russian hackers to write some code that automates the following process.

  1. Generate bulk email offering something plausible but really irresistible. Why not go with the tried and tested and copy Amazon’s letter verbatim?

  2. Register a series of domains. A good template to use would be something like this mkto-sj060051{000...999}.com. Feel free to brazenly tell your marks in the email that because the email itself says it’s ok to trust this domain, it’s ok to trust this domain. Amazingly this works! AWS customers are even used to it!

  3. Set up a fake survey at the site. Use long and obfuscatory URLs, just like Amazon. Don’t worry about correct certificates or even HTTPS; Amazon doesn’t. Feel free to skip this step completely.

  4. Thank the mark for helping with the feedback and say that you need their account information to apply the credit. This is where Amazon would retort that they have good security because they do redirect to an https://www.amazon.com/ap/signin...... URL for secure log ins. However I have counted that URL being up to 1130 bytes! Just make the subdomain really long and messy. Who is really going to scroll the URL to see that the proper domain is there? And you (and the real AWS) have already reassured the mark that an improper domain is likely to be proper anyway.

  5. Log in to the account and get an API key. Then turn off billing alerts, fire up 200 huge VMs, and start crypto coin mining. Ka-ching!

  6. Ideally subvert their email if they were dumb enough to have used a primary email account (e.g. Gmail) with the same password for their AWS login. Intercept and quash any email alerts. Don’t worry you’ll have plenty of time since Amazon will let you ring up thousands of dollars worth of BTC mining before they send out an alert that can’t easily be overridden. Even if you started all that activity from China on a US account? Yes! Even then.