SNS Sender Revealed in Phishing Campaign

Cybercriminals have targeted users’ data through widespread phishing SMS campaigns, employing a specialized script named SNS Sender that exploits Amazon’s Simple Notification Service (SNS).

These SMS messages contain malicious links aimed at stealing personal information and victims’ payment card data. Fraudsters often masquerade as notifications from the United States Postal Service (USPS) regarding undelivered packages.

Researchers from SentinelOne associate this activity with a hacker known by the pseudonym “ARDUINO_DAS,” identifying SNS Sender as the first tool observed “in the wild” using Amazon’s SNS infrastructure for spam campaigns.

SNS Sender inputs and outputs

Upon examining a ready-to-launch phishing kit for initiating their spam attack, specialists discovered that SMS Sender requires a list of phishing links stored in a “links.txt” file within the program’s working directory, along with a list of AWS access keys, target phone numbers, sender ID, and message text.

According to SentinelOne, hacker ARDUINO_DAS is linked to over 150 phishing kits, each finding its buyer on specialized darknet marketplaces. Most of these kits are USPS-themed, directing users to fraudulent parcel tracking pages to enter personal and credit card information.

Researchers also note a trend of exploiting legitimate platforms for distributing malware. Discord, in recent years, has been increasingly used by hackers, highlighting the need for vigilance and caution when dealing with suspicious messages and links.

The investigation also revealed that some phishing kits may contain hidden backdoors, sending collected data back to the kits’ developers. This grants distributors of ready-made phishing kits access to an endless stream of their client’s data, as well as the potential for additional monetization of the collected information.

SentinelOne’s findings confirm the ongoing trend of using cloud environments to conduct SMS phishing campaigns, underscoring the need for caution both among users and cybersecurity professionals.

To avoid becoming another victim of fraudsters, remain vigilant and distrustful of dubious SMS messages, especially those containing links. Even if messages appear legitimate and seem to originate from services you use, they may not always be truthful.

In case of any suspicions, the best course of action is to ignore the suspicious message and directly contact the support of the concerned service for consultation.