AWS SNS Hijackings Fuel Cloud Smishing Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


AWS SNS Hijackings Fuel Cloud Smishing Campaign


Using a custom Python script to send bulk phishing messages with a USPS lure, the cyberattackers are posing a risk to consumer-facing organizations moving workloads to the cloud.



Showcasing a previously unseen cyberattack technique, threat actors are using Amazon Web Services Simple Notification Service (AWS SNS) and a custom bulk-messaging spam script called SNS Sender to fuel an ongoing smishing campaign that
impersonates the US Postal Service
.
While the abuse of AWS SNS, a cloud-based messaging platform, is novel, the campaign is an example of what is becoming an increasingly common theme: Businesses and threat actors are both moving their respective workloads to the cloud rather than handling it through traditional Web servers, according to
a report today from SentinelOne
. And that presents serious business risk to those entities whose legitimate cloud instances have been compromised by attackers looking to piggyback on their AWS capabilities.
The SNS Sender script author or authors, who went by the alias ARDUINO_DAS from 2020 to 2023, were known to be prolific in the phishing kit scene, though this handle appears to have been abandoned after the operators were accused of scamming phishing kit buyers on the Dark Web, according to SentinelOne. The former alias, however, is still found in all of the threat actors tools, which are still being used and actively circulated, including the latest campaign from last month.
According to Alex Delamotte, senior threat researcher at SenitelOne and author of the report, the SNS Sender attack uses a version of the well-worn missed package notification lure, claiming to be from the
USPS
.
Ive gotten a lot of these, and I know that a lot of other people have. They say that youve missed a package, and you need to pick it up at the post office, Delamotte says, adding that while the campaign casts a wide, non-specific net, senior citizens are most likely to fall prey to it. It tells you to sign in and it looks a lot like the real USPS page, but its collecting the persons name, address, and credit card number.
The
text messages
contain URLs that lead to phishing pages, which ask individuals to enter their personally identifiable information (PII) and payment-card details. These are then sent to the attackers server, as well as a Telegram channel. Its kind of like a centralized place to see logs that are collected from these phishing kits, Delamotte says. Weve actually seen logs of it. It also logs which phishing kits are used.
The campaigns standout aspect is the use of AWS SNS, according to SentinelOne.
Theres a lot of red tape to be able to send SMS messages in the cloud. There are federal regulations and an SMS registration framework known as A2P 10DLC. This framework implements federal guidelines for cloud or software-as-a-service (SaaS) providers to effectively know their customer, Delamotte emphasizes.
That means that the attackers need to have legitimate, trusted credentials to be able to maintain the campaign. What essentially happens is threat actors will steal an
existing businesses cloud credentials
, likely because they cannot pass the vetting process to sign up for them on their own. The threat actor will then use those credentials to send the phishing text messages to various users, using the legitimate business domain.
However, there are further hurdles: Compromising any old AWS instance isnt enough — the attackers also need to verify a targeted environments SNS capabilities.
SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant, according to SentinelOnes report. Using AWS presents a challenge for this actor. AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment.
All of this carries significant risk for businesses. First of all, the domain-hijacking creates a bad image for the business, because they are the face of the scam to the user. In addition, being hijacked could compromise the SMS capabilities a business has to communicate with its customers: According to Delamotte, an affected organization will likely have to fight to keep its SMS capabilities active.
Thats especially bad news for
organizations that maintain high-volume SMS communications
with consumers, such as e-commerce providers or those running loyalty programs.
For businesses, avoiding being caught up in SNS Sender comes down to what Delamotte considers to be basic security hygiene: Organizations need to make sure that theyre not exposing their own credentials in the cloud, whether that be through code in GitHub or improperly secured services.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
AWS SNS Hijackings Fuel Cloud Smishing Campaign