{"id":647057,"date":"2026-05-13T10:59:04","date_gmt":"2026-05-13T08:59:04","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=647057"},"modified":"2026-05-13T21:21:23","modified_gmt":"2026-05-13T19:21:23","slug":"warning-to-south-africans-who-receive-emails-from-amazon","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/647057-warning-to-south-africans-who-receive-emails-from-amazon.html","title":{"rendered":"Warning to South Africans who receive emails from Amazon Simple Email Service"},"content":{"rendered":"\n<p>Security researchers have warned about an uptick in attacks where cybercriminals gain access to trusted email services powered by Amazon&#8217;s Simple Email Service (SES).<\/p>\n\n\n\n<p>Local cybersecurity experts said there was no doubt that this method would find victims in South Africa, as thousands of local organisations use Amazon&#8217;s email services.<\/p>\n\n\n\n<p>International cybersecurity group Kaspersky reported this week that it had detected phishing and business email compromise attacks globally.<\/p>\n\n\n\n<p>Kaspersky said the phishing attempts were difficult to detect because the attackers did not include malicious links in the email.<\/p>\n\n\n\n<p>&#8220;These messages, often sent to finance departments, requested urgent payments and included PDF attachments containing only banking details, with no malicious links,&#8221; it stated.<\/p>\n\n\n\n<p>Dimitri Fousekis, co-founder and CTO of Bitcrack Cyber Security, said that although these specific attacks did not include malicious links, threat actors could use this type of attack to deliver malware.<\/p>\n\n\n\n<p>Kaspersky said attackers obtained leaked Amazon Web Services (AWS) keys and used them to send emails from SES accounts masquerading as official companies.<\/p>\n\n\n\n<p>Amazon SES is a cloud-based email service designed for businesses and developers to send high-volume communications.<\/p>\n\n\n\n<p>&#8220;One of the campaigns observed by Kaspersky in early 2026 involved emails impersonating document-signing platforms like DocuSign,&#8221; Kaspersky said.<\/p>\n\n\n\n<p>&#8220;Victims were prompted to review and sign documents, only to be redirected to fraudulent login pages hosted on an Amazon Web Services page designed to capture credentials.&#8221;<\/p>\n\n\n\n<p>With these credentials in hand, cybercriminals could launch attacks on company systems, with dire consequences for businesses.<\/p>\n\n\n\n<p>In April, a threat actor <a href=\"https:\/\/mybroadband.co.za\/news\/security\/641250-1-2tb-of-standard-bank-data-including-credit-card-details-stolen-and-leaked-online.html\">breached Standard Bank and stole 1.2TB of the bank&#8217;s data<\/a>, including private customer information such as credit card details.<\/p>\n\n\n\n<p>Fousekis told MyBroadband that there was no doubt South Africans would be affected. &#8220;SA organisations could be significantly impacted by this type of attack,&#8221; he said.<\/p>\n\n\n\n<p>Since emails sent with a legitimate company&#8217;s Amazon SES credentials appear trustworthy, they are more likely to be opened and accessed by users.<\/p>\n\n\n\n<p>He explained that because these attack emails were sent from official Amazon email addresses, they were more likely to bypass automatic email security features such as spam filters.<\/p>\n\n\n\n<p>&#8220;Traffic originating from trusted cloud providers like Amazon is subjected to less aggressive filtering due to widespread legitimate use and may even be whitelisted to bypass all checks completely.&#8221;<\/p>\n\n\n\n<p>An AWS spokesperson said that AWS has clear terms that prohibit the use of its services to violate the security, integrity, or availability of others.<\/p>\n\n\n\n<p>&#8220;When we receive reports of potential violations of our terms, we act quickly to review and take appropriate action,&#8221; they said. <\/p>\n\n\n\n<p>&#8220;As always, we encourage all customers to follow recommended security guidance to help secure their accounts and prevent abuse.&#8221; Users could report abusive activity to AWS Trust &amp; Safety via <a href=\"https:\/\/repost.aws\/knowledge-center\/report-aws-abuse\">this link.<\/a> <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Danger when emails from trustworthy entities are hijacked<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"675\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Fousekis-AWS.jpg\" alt=\"\" class=\"wp-image-647066\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Fousekis-AWS.jpg 1200w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Fousekis-AWS-600x338.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Fousekis-AWS-768x432.jpg 768w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption class=\"wp-element-caption\">Dimitri Fousekis, CTO and co-founder of Bitcrack Cyber Security<\/figcaption><\/figure>\n\n\n\n<p>Bitcrack&#8217;s own analysis identified 1,962 South African domains that use Amazon SES to send emails on behalf of organisations.<\/p>\n\n\n\n<p>Fousekis said that, among these, were several prominent entities, including four local banks, one cellular network provider, and at least 23 online retail platforms, among numerous other businesses.<\/p>\n\n\n\n<p>He explained that the attack method could be used to facilitate credential theft, financial fraud, malware delivery, account compromise or other forms of cybercrime at scale.<\/p>\n\n\n\n<p>Israeli cybersecurity firm Check Point Software&#8217;s latest Brand Phishing Report ranked Amazon fourth, behind Microsoft, Apple, and Google, among the most impersonated brands for phishing attacks.<\/p>\n\n\n\n<p>Shayimamba Conco, Security Evangelist, Africa, at Check Point Software, said that criminals were systematically abusing widely used enterprise and cloud platforms locally.<\/p>\n\n\n\n<p>&#8220;For organisations and users in South Africa, the risk is real as more local companies adopt cloud services out of necessity, and remote work continues to expand,&#8221; he said.<\/p>\n\n\n\n<p>&#8220;Attackers increasingly target cloud credentials and third-party email platforms to deliver sophisticated phishing campaigns.&#8221;<\/p>\n\n\n\n<p>Fousekis explained that criminals were finding AWS or Amazon SES credentials online, through public repositories, misconfigured cloud storage, and exposed configuration files.<\/p>\n\n\n\n<p>They may also access these credentials on already-compromised developer environments, which could have been breached in previous attacks.<\/p>\n\n\n\n<p>&#8220;Attacks of this nature are particularly concerning because they do not necessarily require the direct compromise of the targeted organisation itself,&#8221; he said.<\/p>\n\n\n\n<p>&#8220;Attackers only need to obtain access to exposed or stolen Amazon SES credentials in order to abuse trusted cloud infrastructure to deliver malicious emails.&#8221;<\/p>\n\n\n\n<p>Conco said that companies should regularly rotate their AWS IAM keys and avoid storing secret information in publicly accessible repositories.<\/p>\n\n\n\n<p>Users can mitigate attacks by deploying advanced email security solutions that detect phishing and BEC attempts, including solutions that automatically inspect content, links, and attachments.<\/p>\n\n\n\n<p>Education of employees remained a key security measure, said Conco. Staff should treat unexpected emails with caution, verify requests for personal information, and report them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>South African companies and users should beware of emails from Amazon as criminals are abusing stolen passwords to exploit these emails for personal gain. <\/p>\n","protected":false},"author":341213,"featured_media":647067,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[30594,34363,105176,104783,105175,1595,96013],"class_list":["post-647057","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-amazon-web-services","tag-aws","tag-bitcracker-cyber-security","tag-check-point-software","tag-dimitri-fousekis","tag-kaspersky","tag-shayimamba-conco"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/647057"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=647057"}],"version-history":[{"count":7,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/647057\/revisions"}],"predecessor-version":[{"id":647469,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/647057\/revisions\/647469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/647067"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=647057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=647057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=647057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}