Overview
SentinelLabs has identified SNS Sender, a malicious Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, aka Smishing.
SNS Sender is using AWS SNS to send spam texts. The script requires access to an AWS account in which the service was already provisioned, configured, and enabled. By default, AWS accounts are subject to restrictions through a feature called the SNS sandbox. These restrictions can be removed if the customer spends $1 and provides a viable use case to AWS support, who manually review such requests.
SentinelLabs identified links between the actor behind this tool and many phishing kits used to target victims’ personally identifiable information (PII) and payment card details, imitating as message sent by United States Postal Service (USPS) regarding a missed package delivery.
Technique
SNS Sender leverages AWS SNS to conduct SMS spamming attacks, a tactic previously unseen in the wild. SNS is an AWS service used to send emails/messages/announcement using AWS. The script requires various inputs, including phishing links, AWS access keys, target phone numbers, sender IDs, and message content.
The sender ID variable, though optional in some countries according to AWS documentation, is mandatory in India while not supported in the United States. This detail contrasts with the actor's focus on phishing Americans with USPS-themed kits, suggesting unfamiliarity with sender ID exceptions, possibly indicating a non-US origin.
The SNS Sender script iterates through AWS credentials and regions in a while loop. It replaces instances of "linkas" in the message content with URLs from "links.txt," turning messages into phishing SMS with randomly selected links. The script tracks accessed AWS key pairs and phone numbers, incrementing counts with each loop iteration, ensuring unique credentials per message.
The operation has been linked to a threat actor named ARDUINO_DAS, known for offering over 150 phishing kits for sale, predominantly USPS-themed.
Indicators of Compromise
8fd501d7af71afee3e692a6880284616522d709e – sns_sender.py, SNS Sender
Phishing URLs
hxxps[:]//perwebsolutions[.]com/js/
hxxps[:]//usps[.]mytrackingh[.]top
hxxps[:]//u-sipsl[.]cc
Security Impact
The emergence of SNS Sender underscores the evolving tactics employed by threat actors to exploit cloud environments for smishing campaigns. These attacks pose significant risks to organizations and individuals, as they often target sensitive personal and financial information. By staying vigilant and implementing proactive security measures, organizations can better defend against such attacks and protect their assets and data from exploitation. Moreover, the broader trend of threat actors innovating their tactics, such as using advertising networks and legitimate platforms like Discord to distribute malware, highlights the ongoing challenge of cybersecurity in the digital age.
Recommendation
To mitigate the threat posed by SNS Sender and similar attacks,
Organizations should enhance their awareness of smishing tactics and educate users about the risks associated with unsolicited SMS messages.
Additionally, implementing robust email and SMS filtering mechanisms can help identify and block malicious links and messages.
Regular monitoring of AWS access keys and stringent access controls can also help prevent unauthorized usage of cloud services for malicious activities.
Comments