The public has recently been made aware of an innovative cyberattack method, as malicious actors are leveraging Amazon Web Services Simple Notification Service (AWS SNS) and a custom bulk-messaging spam script called SNS Sender to support an ongoing “smishing” campaign impersonating the US Postal Service.
According to a recent report from SentinelOne, the abuse of AWS SNS, a cloud-based messaging platform, highlights the increasing trend of businesses and threat actors shifting their workloads to the cloud instead of traditional web servers. This shift poses significant risks to entities whose legitimate cloud instances have been compromised by attackers seeking to exploit their AWS capabilities.
As revealed in the report, the author or authors of the SNS Sender script, who identified themselves as “ARDUINO_DAS” from 2020 to 2023, were prolific figures in the phishing kit scene. Although this alias has since been abandoned after being implicated in scamming phishing kit buyers on the Dark Web, their tools, including the latest campaign from last month, continue to be actively utilized.
Alex Delamotte, a senior threat researcher at SentinelOne, confirmed that the SNS Sender attack employs a modified version of the well-known “missed package” notification lure, purporting to originate from the USPS. In response to the campaign, Delamotte stressed that a large number of individuals have received these messages, especially senior citizens, making them more vulnerable to falling prey to the scam.
The text messages sent as part of the smishing campaign contain URLs leading to phishing pages where recipients are prompted to enter their personally identifiable information (PII) and payment-card details. These details are then forwarded to the attacker’s server, as well as to a Telegram channel.
A key feature of the campaign is its dependence on AWS SNS, which, according to SentinelOne, indicates the need for sophisticated hack tactics due to stringent federal regulations and an SMS registration framework that cloud or software-as-a-service (SaaS) providers must comply with.
Compounding the issue, organizations need to safeguard against the exploitation of their cloud credentials, which may result in a tarnished company image and compromised SMS capabilities. Those maintaining high-volume SMS communications with consumers, such as e-commerce providers and loyalty program operators, are especially vulnerable to these kinds of scams.
Ultimately, mitigating the potential impact of SNS Sender comes down to robust security measures, as organizations must ensure that their cloud credentials are not exposed through vulnerable code on platforms like GitHub, or through inadequately secured services. These steps are essential for safeguarding businesses against further infiltration and abuse by malicious actors.