Smishing scam utilising Amazon Web Services uncovered
Digital threat experts, SentinelLabs, have released a new study revealing an exploit utilising Amazon Web Service's Simple Notification Service (AWS SNS) to conduct a 'smishing' (SMS-phishing) scam impersonating the United States Postal Service (USPS).
The study highlights that, in a similar trend to businesses, threat actors are increasingly shifting workloads traditionally handled by conventional web servers to cloud-based services. This behaviour is exemplified via a Python-written script entitled 'SNS Sender', identified as the first script of its kind detected by SentinelLabs.
According to SentinelLabs, SNS Sender enables the sending of mass SMS messages to spam recipients with phishing links, also known as 'smishing', a technique not previously observed in the context of cloud attack tools. These scam messages frequently masquerade as notifications from USPS relating to a missed package delivery, the company says.
The author of the script operates under the alias 'ARDUINO_DAS' and is a well-known figure in the phish kit scene. As per the study, SentinelLabs have uncovered links between this actor and several phishing kits developed to target and steal victims' personally identifiable information (PII) and payment card details.
SentinelLabs says other tools such as AlienFox have used business-to-consumer communication platforms like Twilio, however, SentinelLabs claims that this is a novel use of AWS SNS for this specific malicious intent. It is believed that this actor is utilising cloud services to dispatch bulk SMS phishing messages, despite some seemingly questionable programming choices suggesting the tool may still be in the testing phase.
"Threat actors are persistently seeking new tools and platforms for launching their chosen attacks, and SNS Sender is a perfect example," SentinelLabs says.
"It signifies a more specific approach that relies on the threat actor having access to a correctly configured AWS SNS tenant. Interestingly, using AWS poses a unique challenge for this actor: AWS does not enable SMS notifications via SNS by default, requiring the tenant to be removed from the SNS sandbox environment for this feature to function," it says.
Interestingly, the use of an alias within the script is common practice amongst cloud hack tools, SentinelLabs says. This has enabled researchers to build a point of attribution even when separating the tool families becomes challenging due to extensive overlap.
"This new study presents a snapshot into how threat actors conduct these types of attacks, and stands as a reminder of the importance of maintaining diligence in the face of potential SMS phishing scams," SentinelLabs says.