A new Python script, dubbed SNS Sender, is being used by threat actors to conduct bulk smishing attacks, exploiting the Amazon Web Services (AWS) Simple Notification Service (SNS). The script enables attackers to send SMS phishing messages, primarily impersonating messages from the United States Postal Service (USPS) regarding missed package deliveries. These messages contain malicious links aimed at capturing victims’ personally identifiable information (PII) and payment card details.
Security firm attributes the development of SNS Sender to a threat actor known as ARDUINO_DAS. This tool marks the first observed instance of leveraging AWS SNS for SMS spamming attacks. The researcher has identified links between ARDUINO_DAS and over 150 phishing kits available for purchase in the cybercriminal underground.
SNS Sender requires a list of phishing links stored in a file named links.txt in its working directory, along with AWS access keys, target phone numbers, sender IDs (display names), and message content. Notably, the requirement of sender IDs for sending scam texts varies by country, suggesting that the script’s author likely operates from a region where sender IDs are common practice.
Evidence indicates that this operation may have been active since at least July 2022, based on bank logs referencing ARDUINO_DAS shared on carding forums such as Crax Pro. The phishing kits predominantly feature USPS themes, directing users to fake package tracking pages to harvest personal and financial information.
The discovery of SNS Sender reflects a broader trend of threat actors exploiting cloud environments for smishing campaigns. In a related incident in April 2023, Permiso identified threat actors using previously exposed AWS access keys to infiltrate AWS servers and send SMS messages via SNS.
Additionally, the discovery of a new dropper named TicTacToe highlights the ongoing innovation of threat actors in propagating various information stealers and remote access trojans (RATs) targeting Windows users throughout 2023. The researcher disclosed that TicTacToe is distributed through a four-stage infection chain, starting with an ISO file embedded within email messages.
Furthermore, threat actors are increasingly using advertising networks to conduct spam campaigns and deploy malware such as DarkGate. This tactic involves proxying links through advertising networks to evade detection and gather analytics on victims. Discord has also been misused by threat actors to distribute malware, taking advantage of its reputation and widespread use.
These developments underscore the evolving tactics of threat actors and the importance of robust cybersecurity measures to mitigate the risks posed by such attacks.
To defend against SNS Sender and similar threats, it’s crucial to monitor your account for unusual activity and implement logging and monitoring tools to detect and respond to potential threats. Educate your employees about the risks of phishing and smishing attacks and encourage them to report suspicious messages. Consider using email and SMS filtering services to block malicious content before it reaches your users.
