Researchers Identify 'Smishing' Attack that Uses AWS SNS

A first-of-its-kind "smishing" attack is using Amazon Web Services' Simple Notification Service, or SNS, to impersonate the United States Postal Service.

"Smishing" refers to an attack in which phishing messages are sent in bulk via SMS. This particular attack, which was recently described by researchers at SentinelLabs (which is owned by security firm SentinelOne), sent messages that "often [took] the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," with the goal of stealing customers' payment card details, addresses and other personally identifiable information.

SentinelLabs identified the culprit as a Python-based script called "SNS Sender." Its success relies on access to compromised AWS SNS credentials from accounts that have opted out of AWS' SNS sandbox security measures. It may be the first such script to do so, based on the researchers' findings.

"SNS Sender is the first script we encountered using AWS SNS to send spam texts," they said in a blog post last week. "While other tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio to conduct SMS spamming attacks, we are unaware of existing research that details tools abusing AWS SNS to conduct such attacks."

The attack only works if the AWS SNS account holder is not using the protected sanbox option. The SNS sandbox, which AWS implements by default, lets users test their SMS messages by first sending them to a limited number of verified recipients. That limit only gets removed after the account holder petitions AWS to move out of the sandbox and into production.

More detailed information about SNS Sender's inner workings is in the SentinelLabs blog. To protect their AWS SNS credentials, the researchers recommend that account holders review AWS' guidance for moving out of the sandbox and "how to change sending limits."

In addition, "Identity and Access Management (IAM) administrators should review identity best practices to optimize their organization's security posture," the report suggested.

The full report is available here on the SentinelLabs site.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.

Featured

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • abstract image of fragmented, floating geometric shapes with holographic lock icons and encrypted code, set against a dark, glitchy background with intersecting circuits and swirling light trails

    Education Sector a Top Target for Mobile Malware Attacks

    Mobile and IoT/OT cyber threats continue to grow in number and complexity, becoming more targeted and sophisticated, according to a new report from Zscaler.

  • An abstract depiction of a virtual reality science class featuring two silhouetted figures wearing VR headsets

    University of Nevada Las Vegas to Build VR Learning Hub for STEM Courses

    A new immersive learning center at the University of Nevada, Las Vegas is tapping into the power of virtual reality to support STEM engagement and student success. The institution has partnered with Dreamscape Learn on the initiative, which will incorporate the company's interactive VR platform into introductory STEM courses.

  • Campus Technology Product Award

    Call for Entries: 2024 Campus Technology Product Awards

    The entry period for the 2024 Campus Technology Product Awards is now open.