Attackers hijack AWS accounts via AiTM phishing

The attackers are leveraging adversary-in-the-middle (AiTM) phishing kits, which intercept login credentials and session cookies, bypassing traditional multi-factor authentication. This allows them to gain unauthorized access to AWS accounts even when MFA is enabled. Typosquatted domains, which mimic legitimate AWS login pages, are used to trick users into entering their credentials. These fake pages are designed to look identical to the real AWS login, making it difficult for users to spot the deception. Compromised AWS accounts can lead to data breaches, service disruptions, and significant financial losses for organizations. Robust identity controls, such as phishing-resistant MFA methods and employee security awareness training, are crucial to mitigate these risks.