A common thread between businesses and threat actors is that both are moving workloads previously handled by traditional web servers to the cloud. SentinelLabs has identified one example of this in the form of SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, aka Smishing.
SNS Sender is the first script observed using AWS SNS. While other tools like AlienFox have used business-to-customer (B2C) communications platforms such as Twilio, SentinelLabs is unaware of other tools that use AWS SNS to conduct SMS spamming attacks.
SentinelLabs identified links between the actor behind this tool and many phishing kits used to target victims’ personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. It is believed this actor is using cloud services to send bulk SMS phishing messages, though they may still be testing the tool based on some questionable programming choices.
Key findings:
- SNS Sender is a script that enables bulk SMS spamming using AWS SNS, aka Smishing, a previously unseen technique in the context of cloud attack tools.
- The script author is currently known by the alias ARDUINO_DAS and is prolific in the phish kit scene.
- SentinelLabs identified links between this actor and numerous phishing kits used to target victims’ personally identifiable information (PII) and payment card details.
- The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery.
Conclusion
Actors are continuously finding new tools and platforms they can use to conduct their attack of choice, and SNS Sender is no exception. Spammers have used mega tools like AlienFox and Predator to target bulk mail services as well as business communications services. Other researchers have detailed which APIs have been used during in-the-wild AWS SNS abuse attacks, as well as enumeration routes actors may take to verify a targeted environment’s SNS capabilities. SNS Sender provides a glimpse into how actors conduct these attacks.
SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant. Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an update from previous research where AWS automatically allowed accounts to send to 10 destination numbers while an account is in the SNS sandbox.
The desire for recognition presents operational security challenges for actors developing tools for the opportunistic cloud hacking scene. The actor, including their handle in the script, is ubiquitous among cloud hack tools, enabling researchers to form a point of attribution even when delineating the tool families becomes challenging due to extensive overlap.
