Showcasing a never-before-seen cyberattack technique, threat actors use Amazon Web Services’ Simple Notification Service (AWS SNS) and a custom bulk messaging spam script called SNS Sender to fuel a “smishing” campaign ongoing that impersonates the United States Postal Service.
While the abuse of AWS SNS, a cloud-based messaging platform, is new, the campaign is an example of what is becoming an increasingly common theme: Enterprises and threat actors are both shifting their respective workloads in the cloud rather than managing them through traditional methods. Web server, second a report today from SentinelOne. And this presents a serious business risk for those entities whose legitimate cloud instances have been compromised by attackers seeking to exploit their AWS capabilities.
Infection smishing routine
The author(s) of the SNS Sender script, known by the alias “ARDUINO_DAS” from 2020 to 2023, were known to be prolific in the phishing kit scene, although this handle appears to have been abandoned after the operators were accused of scamming buyers of phishing kits on the Dark Web, according to SentinelOne. The old alias, however, is still found in all threat actor tools, which are still actively used and spread, including the latest campaign last month.
According to Alex Delamotte, senior threat researcher at SenitelOne and author of the report, the SNS Sender attack uses a version of the “missed packet” notification bait, claiming to come from the USPS.
“I’ve gotten a lot of them, and I know a lot of other people have gotten them too. They say you’ve lost a package and you have to pick it up at the post office,” Delamotte says, adding that while the campaign casts a wide, non-specific net, and older people are more likely to fall prey to it. “It tells you to log in and it looks a lot like the real USPS page, but it collects the person’s name, address and credit card number.”
THE text message contain URLs that lead to phishing pages, which ask people to enter their personally identifiable information (PII) and payment card details. These are then sent to the attacker’s server and also to a Telegram channel. “It’s kind of a centralized place to see the logs collected by these phishing kits,” Delamotte says. “We’ve actually seen logs of it. It also records which phishing kits are used.”
Business Risk: The Cloud Phishing Problem
According to SentinelOne, the most interesting aspect of the campaign is the use of AWS SNS.
“There is a lot of red tape to be able to send SMS messages in the cloud. There are federal regulations and an SMS logging framework known as A2P 10DLC. This framework implements federal guidelines for cloud or software as a service (SaaS) providers to know its customers effectively”, underlines Delamotte.
This means that attackers must have legitimate and trusted credentials in order to carry out the campaign. What essentially happens is that the threat actors will steal a file cloud credentials of existing companies, probably because they can’t go through the vetting process to enroll on their own. The threat actor will then use those credentials to send phishing text messages to various users, using the legitimate company’s domain.
However, there are additional obstacles: Compromising any old AWS instance is not enough: attackers must also verify the SNS capabilities of the targeted environment.
“SNS Sender represents a narrower approach that relies on the actor having access to a properly configured AWS SNS tenant,” according to the SentinelOne report. “Using AWS presents a challenge for this actor. AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant must be removed from the SNS sandbox environment.”
All of this poses significant risks for businesses. First of all, domain hijacking creates a bad image for the company, because for the user they are the face of the scam. Furthermore, being hijacked could compromise a company’s SMS capabilities to communicate with its customers: according to Delamotte, an affected organization will likely have to struggle to keep its SMS capabilities active.
This is especially bad news for organizations that maintain high volumes of SMS communications with consumers, such as e-commerce providers or those who manage loyalty programs.
For companies, avoiding getting trapped in SNS Sender comes down to what Delamotte considers basic security hygiene: Organizations need to make sure they don’t expose their credentials in the cloud, either through code in GitHub or “improperly “. guaranteed services.”