Threat actors are advertised as using Amazon Web Services ( AWS ) Simple Notification Service ( SNS ) to send bulk smishing messages using a malicious Python script called SNS Sender.
According to SentinelOne, a threat actor by the name of ARDUINO_DAS, the SMS phishing messages are intended to spread malicious links that aim to collect victims ‘ personally identifiable information ( PII ) and payment card information.
Security researcher Alex Delamotte claimed that smishing scams frequently disguise messages from the USPS regarding missed package deliveries.
The first tool used in the wild to use AWS SNS to carry out SMS spamming attacks is called SMS Sender. According to SentinelOne, there are connections between ARDUINO_DAS and more than 150 available phishing kits.
A list of phishing links called links must be kept in a file in order to contain malware. Along with a list of AWS access keys, target phone numbers, sender ID ( also known as display name ), and message content, txt also includes these details in its working directory.
Given that sender ID support varies from nation to nation, it is noteworthy that it must be included when sending scam texts. This suggests that the sender ID is a common practice in the nation where SNS Sender was written.
According to Amazon’s documentation, senders are required to use sender IDs while carriers in the United States do not support them at all.
According to bank logs that have been posted on carding forums like Crax Pro and contain references to ARDUINO_DAS, there is evidence that this operation may have existed since at least July 2022.
According to security researcher @JCyberSec_ on X ( previously Twitter ) in early September 2022, the vast majority of the phishing kits are USPS-themed and direct users to phony package tracking pages that ask them to enter their personal and credit/debit card information.
The researcher continued,” Do you believe the deployer is aware that every kit has a secret backdoor that sends the logs to another location?”
The development, if anything, illustrates the ongoing efforts of commodity threat actors to smear campaigns in cloud environments. Permiso unveiled an activity cluster in April 2023 that used SNS-enabled AWS servers to infiltrate them and send SMS messages.
The results also come after the identification of TicTacToe, a brand-new dropper code that has been linked to the spread of numerous information thieves and remote access Trojan horses (RATs ) aimed at Windows users in 2023.
The malware is spread using a four-stage infection chain that begins with an ISO file embedded in email messages, according to Fortinet FortiGuard Labs, which provided information on it.
The use of advertising networks to launch successful spam campaigns and spread malware like DarkGate is another pertinent illustration of threat actors constantly evolving their strategies.
According to HP Wolf Security, the threat actor “proxied links through an advertising network to avoid detection and gather analytics about their victims.” Malicious PDF attachments that passed for OneDrive error messages were used to start the campaigns, which resulted in malware.
By the end of last year, the PC manufacturer had switched to temporary file links due to the misuse of legitimate platforms like Discord to stage and distribute malware, a trend that has become more prevalent in recent years.
According to Intel 471,” Discord is widely trusted because of its strong and dependable infrastructure.” Organizations frequently permitlist discord, allowing unrestricted connections and links to it. Given its reputation and widespread use, its popularity among threat actors is therefore not surprising.