AWS SNS Hijackings Fuel Cloud Smishing Campaign

Showcasing a previously unseen cyberattack technique, threat actors are using Amazon Web Services Simple Notification Service (AWS SNS) and a custom bulk-messaging spam script called SNS Sender to fuel an ongoing "smishing" campaign that impersonates the US Postal Service.

While the abuse of AWS SNS, a cloud-based messaging platform, is novel, the campaign is an example of what is becoming an increasingly common theme: Businesses and threat actors are both moving their respective workloads to the cloud rather than handling it through traditional Web servers, according to a report today from SentinelOne. And that presents serious business risk to those entities whose legitimate cloud instances have been compromised by attackers looking to piggyback on their AWS capabilities.

Smishing Infection Routine

The SNS Sender script author or authors, who went by the alias "ARDUINO_DAS" from 2020 to 2023, were known to be prolific in the phishing kit scene, though this handle appears to have been abandoned after the operators were accused of scamming phishing kit buyers on the Dark Web, according to SentinelOne. The former alias, however, is still found in all of the threat actors' tools, which are still being used and actively circulated, including the latest campaign from last month.

According to Alex Delamotte, senior threat researcher at SenitelOne and author of the report, the SNS Sender attack uses a version of the well-worn "missed package" notification lure, claiming to be from the USPS.

"I've gotten a lot of these, and I know that a lot of other people have. They say that you've missed a package, and you need to pick it up at the post office," Delamotte says, adding that while the campaign casts a wide, non-specific net, senior citizens are most likely to fall prey to it. "It tells you to sign in and it looks a lot like the real USPS page, but it's collecting the person's name, address, and credit card number."

The text messages contain URLs that lead to phishing pages, which ask individuals to enter their personally identifiable information (PII) and payment-card details. These are then sent to the attacker's server, as well as a Telegram channel. "It's kind of like a centralized place to see logs that are collected from these phishing kits," Delamotte says. "We've actually seen logs of it. It also logs which phishing kits are used."

Business Risk: The Trouble With Cloud Phishing

The campaign's standout aspect is the use of AWS SNS, according to SentinelOne.

"There's a lot of red tape to be able to send SMS messages in the cloud. There are federal regulations and an SMS registration framework known as A2P 10DLC. This framework implements federal guidelines for cloud or software-as-a-service (SaaS) providers to effectively know their customer," Delamotte emphasizes.

That means that the attackers need to have legitimate, trusted credentials to be able to maintain the campaign. What essentially happens is threat actors will steal an existing businesses cloud credentials, likely because they cannot pass the vetting process to sign up for them on their own. The threat actor will then use those credentials to send the phishing text messages to various users, using the legitimate business' domain.

However, there are further hurdles: Compromising any old AWS instance isn't enough — the attackers also need to verify a targeted environment's SNS capabilities.

"SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant," according to SentinelOne's report. "Using AWS presents a challenge for this actor. AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment."

All of this carries significant risk for businesses. First of all, the domain-hijacking creates a bad image for the business, because they are the face of the scam to the user. In addition, being hijacked could compromise the SMS capabilities a business has to communicate with its customers: According to Delamotte, an affected organization will likely have to fight to keep its SMS capabilities active.

That's especially bad news for organizations that maintain high-volume SMS communications with consumers, such as e-commerce providers or those running loyalty programs.

For businesses, avoiding being caught up in SNS Sender comes down to what Delamotte considers to be basic security hygiene: Organizations need to make sure that they're not exposing their own credentials in the cloud, whether that be through code in GitHub or "improperly secured services."