Friday 26 June 2026 10:52:10 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Security Awareness & Social Engineering

Fake AWS Login Pages Are Now Chasing the Second Factor

25 June 2026 12:14Security Awareness & Social EngineeringNorth America / USAPATCHKNIGHT

A phishing kit built around Cloudflare-hosted lookalike domains shows how attackers can target the authentication ceremony itself, not just the password field.

Cloud identity theft has moved past the old trick of stealing a password and hoping for the best. In this case, the lure centered on an almost identical AWS console sign-in page, paired with an adversary-in-the-middle style flow designed to catch both credentials and whatever second factor followed. The important shift is not just the branding of the page, but the way the fake login can adapt in real time to the victim’s next step.

Fast Facts

  • The phishing pages impersonated the AWS console sign-in experience.
  • The domains used to host the lures were Cloudflare-hosted.
  • The flow was built to handle email, SMS, and authenticator-app MFA paths.
  • The attack pattern fits an AiTM model, where the login exchange is intercepted or relayed.
  • The available information does not indicate a confirmed compromise of AWS or Cloudflare core systems.

Why This Works

AWS login pages are familiar, repetitive, and often entered under time pressure. That makes them ideal bait for lookalike sites. In an AiTM-style phishing campaign, the attacker may place a malicious service between the user and the legitimate sign-in flow, then use that position to collect credentials and manipulate the authentication sequence. The victim sees a believable prompt. Behind the scenes, the attacker is trying to reproduce the same outcome a real login would produce.

The MFA detail matters. Code-based second factors are not all equally resistant to interception, and that is where modern phishing kits have improved. If a page can branch into different MFA paths, it can present the challenge that best matches the user’s account setup. That flexibility increases the chance that the attack will survive the first login obstacle and continue far enough to harvest a valid session.

From a defensive perspective, the risk is broader than password theft. If a session token or cookie is captured after authentication, the attacker may not need to prompt the user again right away. That is why phishing-resistant methods such as passkeys or security keys are treated as stronger controls than SMS or app-generated codes in this class of attack. They are designed to be far harder to relay through a fake login page.

Cloud-hosted delivery adds another layer of camouflage, but it should not be confused with a platform breach. A phishing domain can live on mainstream infrastructure without the provider itself being compromised. The real abuse is at the identity layer: the criminal kit is borrowing the credibility of cloud branding and the predictability of cloud login workflows.

At the time of writing, the technical root cause remains limited to the phishing setup itself, and the full downstream impact on any individual accounts is not established. That caution matters, because identity attacks often produce silent damage that only becomes visible later in logs, session traces, or unusual control-plane activity.

Conclusion

The lesson is blunt: the login page has become a battleground. Organizations that still depend on relayable MFA and URL recognition are defending yesterday’s threat model. For AWS access, the safer path is to assume the authentication journey itself can be attacked and to build around phishing-resistant sign-in, session revocation, and user verification habits that do not stop at “enter the code.”

TECHCROOK

Hardware security key: A small USB/NFC device for phishing-resistant sign-in. It works well with passkeys and FIDO2/WebAuthn on supported accounts, including cloud consoles and admin portals. Keep a spare key stored separately and register it before you need it.

Scheda Techcrook: Hardware security key

WIKICROOK

  • Adversary-in-the-Middle (AiTM): A phishing method where an attacker intercepts or relays an authentication session between the user and the real service.
  • MFA: Multi-factor authentication, a login process that requires more than one proof of identity.
  • Passkey: A phishing-resistant authentication method that uses cryptographic keys instead of shared secrets or one-time codes.
  • Session token: A temporary credential that can keep a user signed in after successful authentication.
  • Cloud-hosted domain: A domain served through mainstream cloud infrastructure, which can be abused to make a lure look routine and legitimate.
PATCHKNIGHT
AuthorPATCHKNIGHT

Security Awareness & Social Engineering