ClickCease AWS SNS Bulk Smishing: Protect Systems From Exploitation

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

AWS SNS Bulk Smishing: Protect Systems From Exploitation

Wajahat Raja

March 5, 2024 - TuxCare expert team

In recent cybersecurity developments, a malevolent Python script named SNS Sender has surfaced as a tool for threat actors to conduct bulk smishing attacks by exploiting the Amazon Web Services (AWS) Simple Notification Service (SNS). The AWS SNS bulk smishing threat has been linked to a threat actor named ARDUINO_DAS, with security researchers uncovering a concerning pattern of SMS phishing messages aimed at capturing victims’ sensitive information.  In this blog, we will Explore the security implications of AWS SNS bulk messaging.


AWS SNS Bulk Smishing Tactics

According to a recent report by
SentinelOne, these smishing scams often masquerade as messages from reputable entities, with a common guise being notifications from the United States Postal Service (USPS) regarding a missed package delivery. 

The goal of the AWS SNS phishing incident is to lure recipients into clicking on malicious links embedded in the messages, leading to the compromise of personally identifiable information (PII) and payment card details.

SNS Sender: A Disturbing Innovation


What makes the AWS SNS bulk smishing threat particularly noteworthy is the utilization of SNS Sender as the first observed tool in the wild, leveraging AWS SNS for SMS spamming attacks. The malicious script requires a list of phishing links, AWS access keys, target phone numbers, message content, and sender IDs.

Notably, the inclusion of sender IDs is crucial, varying in importance across countries. For instance, while carriers in the United States don’t support sender IDs, carriers in India require their use, indicating the likely origin of the SNS Sender author.


Links to Phishing Kits and Long-Term Activity

SentinelOne identified more than
150 phishing kits associated with ARDUINO_DAS available for sale, indicating a well-established threat landscape. Evidence suggests that the AWS SNS smishing attack may have been active since at least July 2022, as reflected in bank logs referencing ARDUINO_DAS shared on carding forums like Crax Pro.

Phishing Kit Specifics

The majority of these phishing kits adopt a USPS theme, directing users to counterfeit package tracking pages. These pages prompt unsuspecting victims to enter personal and credit/debit card information, as documented by security researcher @JCyberSec_ on X in early September 2022. The concerning question arises: are the deploying actors aware of hidden backdoors within these kits, sending logs to unauthorized locations?

AWS SNS Security Risks

This development aligns with the ongoing trend of commodity threat actors exploiting cloud environments for
smishing campaigns. In April 2023, Permiso exposed an activity cluster that exploited previously exposed AWS access keys to infiltrate AWS servers, employing SNS for sending SMS messages.

The Evolving Landscape of Threats


The discovery of a new dropper, TicTacToe, adds to the growing list of threats sold as services to threat actors. Observed throughout 2023, TicTacToe facilitates the propagation of various information stealers and remote access trojans (RATs) targeting Windows users. Fortinet FortiGuard Labs highlighted its deployment through a four-stage infection chain that starts with an ISO file embedded within email messages.

Innovative Tactics and Lessons Learned

Threat actors continue to innovate their tactics, such as the use of advertising networks to orchestrate effective spam campaigns, exemplified by
DarkGate. HP Wolf Security revealed that threat actors utilize advertising networks to proxy links, evading detection and capturing analytics about their victims. 

Additionally, the misuse of legitimate platforms like Discord to distribute malware has become increasingly common, prompting organizations to adapt their security measures.


As the cybersecurity landscape evolves, it is imperative for organizations and individuals alike to stay vigilant against emerging threats like the
AWS SNS security breach. The exploitation of AWS for bulk smishing underscores the need for robust security measures and a proactive approach to stay one step ahead of threat actors. Understanding the evolving tactics and leveraging the lessons learned from the AWS SNS bulk smishing threat will be crucial in safeguarding digital environments from the ever-growing spectrum of cyber threats.

The sources for this piece include articles in The Hacker News and SentinelOne

AWS SNS Bulk Smishing: Protect Systems From Exploitation
Article Name
AWS SNS Bulk Smishing: Protect Systems From Exploitation
Discover the latest on AWS SNS bulk smishing exploits. Learn how to safeguard against threats and secure your environment today.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter