
Potential hackers are spoofing Amazon’s content delivery network CloudFront to create a means of injecting a malicious payload into websites, according to security firm Sucuri.
JavaScript code found by the firm in one sample links to a cloudfrond.org path, posing the risk that webmasters would not notice the unfamiliar link and assume it was for Amazon’s legitimate service.
Fioravante Souza, lead malware researcher at Sucuri, said: "The attackers are in fact trying to confuse webmasters by abusing our trust in trusted sources, [such as] Amazon’s CloudFront."
"If there is one thing we have learned in the years of doing this work, half the webmasters don’t really know what code and service their website ingests. [The attitude is] that’s on the developer; they’re simply responsible for maintaining it."
Since the cloudfrond.org domain is not currently malicious it is not being blacklisted by anyone, but Souza added that it was "a perfect example" of an indicator of compromise (IoC), which is a sign of bad behaviour rather than a specific instance of it.
The custom script used by the would-be hackers also changes each time it loads, in what is known as a conditional payload, and at present will break if a website is accessed with any browser other than Internet Explorer (IE), according to the firm.
"The CloudFrond campaign is just getting started; attackers are simply setting their injections in place. This would explain why the injection is pulling empty payloads," Souza said.
"This is also a good way to avoid detection, kill the payload until you have your web of infected sites ready to go."