Security News

A series of recent phishing attacks tried to take advantage of organizations that use Amazon Web Services. In one phishing campaign reported to KnowBe4, the attackers created a basic, no-frills scam to harvest the credentials of AWS users.

Attention! If you use Amazon's voice assistant Alexa in you smart speakers, just opening an innocent-looking web-link could let attackers install hacking skills on it and spy on your activities remotely. According to a new report released by Check Point Research and shared with The Hacker News, the "Exploits could have allowed an attacker to remove/install skills on the targeted victim's Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill."

Zoom announced that Zoom for Home is expanding to smart displays including Amazon Echo Show, Portal from Facebook, and Google Nest Hub Max, bringing Zoom to widely-used devices and broadening their capabilities to the work environment. Zoom on Portal is expected to be available publicly in September; Zoom on Echo Show and Zoom on Assistant-enabled Smart Displays, including Google Nest Hub Max are expected to be available by the end of the year.

Amazon Web Services, an Amazon.com company, announced the general availability of Amazon Braket, a fully managed AWS service that provides a development environment to help customers explore and design quantum algorithms. Customers can use Amazon Braket to test and troubleshoot quantum algorithms on simulated quantum computers running on computing resources in AWS to help them verify their implementation.

The attacks involved a Cross-Origin Resource Sharing misconfiguration and Cross Site Scripting bugs identified on Amazon and Alexa subdomains, which eventually allowed the researchers to perform various actions on behalf of legitimate users. Successful exploitation of these vulnerabilities could allow an attacker to retrieve the personal information of an Alexa user, as well as their voice history with their Alexa, but also to install applications on the user's behalf, list installed skills, or remove them.

The flaws could also have helped attackers obtain usernames, phone numbers, voice history, and installed skills, says Check Point Research. Silently installed skills and apps on a user's Alexa account.

UPDATE. Vulnerabilities in Amazon's Alexa virtual assistant platform could allow attackers to access users' personal information, like home addresses - simply by persuading them to click on a malicious link. Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting flaw and cross-origin resource sharing misconfiguration.

Phishing attacks typically try to lure in victims by impersonating well-known companies, brands, and products. Released on Tuesday, Check Point's "Brand Phishing Report for Q2 2020" found that Google and Amazon were the most impersonated brands last quarter, each accounting for 13% of the brand phishing campaigns analyzed.

Using machine learning under the hood and based on over 20 years of fraud detection expertise from Amazon, Amazon Fraud Detector automatically identifies potentially fraudulent activity in milliseconds-with no machine learning expertise required. Amazon Fraud Detector provides a fully managed service that uses machine learning for detecting potential fraud in real time, based on the same technology used by Amazon.com-with no machine learning experience required.

Amazon Web Services, an Amazon.com company, announced the general availability of Amazon Interactive Video Service, a new fully managed service that makes it easy to set up live, interactive video streams for a web or mobile application in just a few minutes. Customers can then combine the Amazon IVS SDK and APIs to attach structured text data to video streams, and create interactive content, including polls, surveys, and leaderboards, all of which are automatically synchronized to the live video.