Given how many organizations continue to move their workloads to the cloud, it’s not surprising that bad actors are doing the same. The latest example comes from attackers who are using Amazon Web Services’ Simple Notification Service (SNS) in a “smishing” scam that includes impersonating the U.S. Postal Service (USPS).

A Python-based script called SNS Sender is being offered in phishing kits and is using the AWS service to send bulk SMS text messages that appear to come from the postal service regarding missed package deliveries but are used by the bad actors to spread spamming phishing links – smishing – aimed at grabbing victims’ personally identifiable information (PII) and payment card details, according to a report from cybersecurity firm SentinelOne.

“SNS Sender is the first script we observed using AWS SNS,” wrote Alex Delamotte, senior threat researcher at SentinelOne. “While other tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio, we are unaware of other tools that use AWS SNS to conduct SMS spamming attacks.

Delamotte added that SentinelOne researchers “believe this actor is using cloud services to send bulk SMS phishing messages, though they may still be testing the tool based on some questionable programming choices.”

USPS Theme in Phishing Kits

She tied SNS Sender to a “prolific” threat actor who used the handle “ARDUINO_DAS,” noting that the researches found more than 150 phishing kits that contain references to the cybercriminal, with more than half of them using the USPS as its theme.

The archives in those kits have similar names as the URIs found in several recent smishing campaigns that used the pitch of a missed package delivery as its lure. That said, Delamotte said the person behind the ARDUINO_DAS handle, which had been active since 2020, abandoned it in 2023 after being used of scamming buyers on the dark web.

“However, some recently circulated phishing kits still reference this handle, which may make it an artifact of actors using the phishing kit,” she wrote.

SNS Sender Features

SentinelOne, using the link between ARDUINO_DAS and USPS phishing, looked into several campaigns that were running through early January and hosted on two sites that have similar features, including a landing page explaining to the target that their package couldn’t be delivered and a “Click Update” button to take the next step and a tracking page that appears to include USPS tracking details.

However, it prompts the victim to input their name, phone number, and physical and email addresses.

There also is a payment card verification page that asks the victim to enter a credit card number to pay a 30 cents redelivery fee. The server forwards the detail to a card checker, while Delamotte wrote likely runs through a Telegram service.

The SNS Sender script that enables the bulk SMS spamming using AWS’ SNS includes a list of phishing links and text files that hold a list of AWS access keys, secrets, and regions, phone numbers to target, a sender ID, and the message.

“The script tracks how many AWS access key pairs have been accessed through the “a” variable and how many phone numbers have been used through the “y” variable, which are initialized as 0 and incremented by 1 each time the loop runs,” she wrote. “Each message is sent using the credentials from one line from the AWS access key pair list, and the tracking ensures that the next line is accessed for the subsequent message.”

‘A More Narrow Approach’

Delamotte wrote that SNS Sender in many ways is similar to other “mega tools” like AlienFox – which SentinelOne last year called the “cloud spammer’s Swiss Army knife” – and Predator cloud-focused infostealer in scams using bulk mail and business communications services. There also have been reports of APIS used in attacks leveraging AWS SNS and enumeration routes attacker take to verify a target’s SNS capabilities.

“SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant,” she wrote. “Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an update from previous research where AWS automatically allowed accounts to send to 10 destination numbers while an account is in the SNS sandbox.”

Smishing Moves to the Cloud

Smishing isn’t new, though using the cloud as a path is coming into vogue among threat actors. In a report last year, cybersecurity firm Permiso wrote that “as this trend gains traction in the wild … commodity threat actors have recently begun to exploit cloud environments for smishing campaigns, employing techniques strikingly similar to those used in SES enumeration and abuse.”

Proofpoint researchers also noted the dangers that lurk in people’s mobile phones.

“Most of the 3.5 billion smartphones worldwide can receive text messages from any number in the world,” they wrote. “Many users know the dangers of clicking a link in email messages. However, fewer people are aware of the risks of clicking links in text messages. Users are much more trusting of text messages, so smishing is often lucrative to attackers phishing for credentials, banking information and private data.”