Closed Ricky-0x closed 1 week ago
Chrzi
commented
1 week ago Hi,
You'll need to report these to the relevant abuse desks.
You can report spam to the Email service providers (Gmail, Hotmail, etc.) or the Hosting service where the IP is hosted.
Mailicious content hosted in S3 is best reported to AWS. For example using their web form here
You can use XARF as a reporting format when sending out these abuse reports, but the issues here are for discussions/problems with XARF.
Ricky-0x
commented
1 week ago Hi,
The first thing I did was report S3 abuse using the official support channels on Amazon AWS (filling out an online form), they opened a case and assigned me a ticket number, they started to do the analysis, additionally they recommended me as an optional step to create a report in this git.
Thanks and regards.
El mar, 8 oct 2024 a la(s) 10:33 a.m., Christian Wahl ( @.***) escribió:
Hi,
You'll need to report these to the relevant abuse desks.
You can report spam to the Email service providers (Gmail, Hotmail, etc.) or the Hosting service where the IP is hosted.
Mailicious content hosted in S3 is best reported to AWS. For example using their web form here https://support.aws.amazon.com/#/contacts/report-abuse
You can use XARF as a reporting format when sending out these abuse reports, but the issues here are for discussions/problems with XARF.
— Reply to this email directly, view it on GitHub https://github.com/abusix/xarf/issues/73#issuecomment-2400026074, or unsubscribe https://github.com/notifications/unsubscribe-auth/BL33HBAV7OFISAJNR67XCLTZ2PUKDAVCNFSM6AAAAABPOPCNC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBQGAZDMMBXGQ . You are receiving this because you authored the thread.Message ID: @.***>
Hello,
Every day I receive 4 or 5 emails impersonating Netflix, Hulu, Apple and other big brands like that. In these emails the scammers try to persuade me to click on a link, that link is an Amazon aws url (s3.amazonaws.com). In the URL structure they always refer to the same file called "Rco.html" although the container/bucket and hash in the url always change.
This is many examples of a URL included in a phishing emails:
https://s3.amazonaws.com/r3e1267/Rco.html#4HmfZu3285OoDL30mmertdedes300QHBQDCJIBPTNKNU586SLGH852W00 https://s3.amazonaws.com/r3e1280/Rco.html#5WuHEg4625Uhry44iologiqaqg311ZGDZYOIOINKZOMW708FUJC020D22 https://s3.amazonaws.com/r3e1299/Rco.html#4syasD4862isPo46yeklllpeki311ZAUMCOBGYHBXYKY708ORPU046e22
I understand that Amazon cannot prevent the sending of emails especially when the scammers use third-party services (Gmail, Hotmail, fakes or disposables email accounts services), however, Amazon can restrict or block or eliminate cloud storage services related to their platform and services.
I have attached two plain text files (txt), one with the complete code of one of the emails and another with the code containing the "Rco.html" file stored in Amazon AWS or Amazon Cloud service. I have deleted part of my email address for privacy reasons, obviously.
email_body_phishing.txt html_code_in_Rcho-html_file.txt