USPS “failed delivery” scam texts could be sent through Amazon cloud services using a new phishing tool brought to light by researchers Thursday.
SNS Sender is a Python script discovered by SentinelOne researchers that is designed to enable bulk SMS delivery via the Amazon Simple Notification Service (SNS). The phishing kit automatically inserts links to attacker-controlled websites, such as fake U.S. Postal Service (USPS) websites that collect victims’ personal information including names, addresses, phone numbers, emails and credit card numbers.
SentinelLabs Threat Researcher Alex Delamotte said in a blog post detailing the script that it represents “a previously unseen technique in the context of cloud attack tools.”
“A common threat between businesses and threat actors is that both are moving workloads previously handled by traditional web servers to the cloud,” Delamotte wrote.
Amazon SNS exploitation tool linked to prolific phishing kit creator
SMS phishing, or smishing, campaigns may leverage bulk SMS delivery tools, such as Twilio, to boost their ability to spam victims en masse. The SNS Sender smishing kit is believed to be the first of its kind to target Amazon SNS, according to SentinelOne.
The suspected author of SNS Sender is known by the alias “ARDUINO_DAS,” whose handle appears in more than 150 other phishing kit files identified by SentinelOne. More than half of the kits associated with ARDUINO_DAS were related to USPS scams.
SNS Sender contains a text file for storing a list of phishing links that are randomly chosen and inserted into smishing messages by replacing occurrences of the “linkas” string. It also includes text files for storing target phone numbers, message contents and Amazon Web Services (AWS) access keys.
There are some signs in the SNS Sender script that suggest it is more of a work-in-progress than a complete smishing kit. For example, the script includes the ability to insert a custom sender ID, which is not supported by carriers in the United States where targets of USPS scams would presumably reside.
Additionally, the manner in which the script selects AWS access key pairs to use for each message does not appear to be optimized, as it would require an impractically long list of credentials to run at scale.
Cloud services targeted for hijacking by phishing operations
While the discovery of a phishing tool dedicated to exploitation of Amazon SNS is a new development, there have been several examples of threat actors targeting cloud servers for potential subsequent phishing campaigns.
For example, an attacker who used previously exposed AWS access keys to infiltrate an AWS server in March 2023 was observed by Permiso researchers attempting a “GetSMSAttributes” action. The researchers realized attackers may run “GetSMSAttribute,” “GetSMSSandboxAccountStatus” and similar commands to determine if a hijacked server is configured properly to send mass SMS messages.
Attackers targeting AWS SNS may run into trouble, as the cloud service does not enable bulk SMS delivery by default. The AWS tenant must be outside of the SNS sandbox environment to take advantage of this feature.
SentinelOne previously detailed Predator AI, a Python-based infostealer and hacking tool that leverages the ChatGPT API. Predator AI targets a wide range of cloud services, including email and SMS communication services that could be leveraged for phishing campaigns, such as AWS’ Simple Email Service (SES).
Earlier this year, another Python-based hack tool called FBot was revealed to be targeting AWS, Sendgrid, Twilio and other cloud and software services. Like Predator AI, FBot established initial access to accounts to be used post-compromise for email and text spamming.
