Feb 16, 2024NewsroomCyber Threat / Cloud Security

A malicious Python script known as SNS Sender is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service (SNS).

The SMS phishing messages are designed to propagate malicious links that are designed to capture victims’ personally identifiable information (PII) and payment card details, SentinelOne said in a new report, attributing it to a threat actor named ARDUINO_DAS.

“The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery,” security researcher Alex Delamotte said.

SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale.

The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition to a list of AWS access keys, the phone numbers to target, the sender ID (aka display name), and the content of the message.

The mandatory inclusion of sender ID for sending the scam texts is noteworthy because support for sender IDs varies from country to country. This suggests that the author of SNS Sender is likely from a country where the sender ID is a conventional practice.

“For example, carriers in the United States don’t support sender IDs at all, but carriers in India require senders to use sender IDs,” Amazon says in its documentation.

There is evidence to suggest that this operation may have been active since at least July 2022, going by bank logs containing references to ARDUINO_DAS that have been shared on carding forums like Crax Pro.

A vast majority of the phishing kits are USPS-themed, with the campaigns directing users to bogus package tracking pages that prompt users to enter their personal and credit/debit card information, as evidenced by security researcher @JCyberSec_ on X (formerly Twitter) in early September 2022.

“Do you think the deploying actor knows all the kits have a hidden backdoor sending the logs to another place?,” the researcher further noted.

If anything, the development represents commodity threat actors’ ongoing attempts to exploit cloud environments for smishing campaigns. In April 2023, Permiso revealed an activity cluster that took advantage of previously exposed AWS access keys to infiltrate AWS servers and send SMS messages using SNS.

The findings also follow the discovery of a new dropper codenamed TicTacToe that’s likely sold as a service to threat actors and has been observed being used to propagate a wide variety of information stealers and remote access trojans (RATs) targeting Windows users throughout 2023.

Fortinet FortiGuard Labs, which shed light on the malware, said it’s deployed by means of a four-stage infection chain that starts with an ISO file embedded within email messages.

Another relevant example of threat actors continuously innovating their tactics concerns the use of advertising networks to stage effective spam campaigns and deploy malware such as DarkGate.

“The threat actor proxied links through an advertising network to evade detection and capture analytics about their victims,” HP Wolf Security said. “The campaigns were initiated through malicious PDF attachments posing as OneDrive error messages, leading to the malware.”

The infosec arm of the PC maker also highlighted the misuse of legitimate platforms like Discord to stage and distribute malware, a trend that has become increasingly common in recent years, prompting the company to switch to temporary file links by the end of last year.

“Discord is known for its robust and reliable infrastructure, and it is widely trusted,” Intel 471 said. “Organizations often allowlist Discord, meaning that links and connections to it are not restricted. This makes its popularity among threat actors unsurprising given its reputation and widespread use.”

Dec 20, 2023NewsroomIdentity Theft / SMS Phishing

The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.

“These criminals send malicious links to their victims’ mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send,” Resecurity said in a report published this week. “This helps them protect the fake website’s domain and hosting location.”

Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group’s use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.

The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engaging in Magecart-style attacks on e-commerce platforms to inject malicious code and pilfer customer data.

“This fraud-as-a-service (FaaS) model enables ‘Smishing Triad’ to scale their operations by empowering other cybercriminals to leverage their tooling and launch independent attacks,” Resecurity noted.

The latest attack wave is designed to target individuals who have recently updated their residence visas with harmful messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.

Recipients who click on the embedded link the message are taken to a bogus, lookalike website (“rpjpapc[.]top”) impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information.

What makes the campaign noteworthy is the use of a geofencing mechanism to load the phishing form only when visited from UAE-based IP addresses and mobile devices.

“The perpetrators of this act may have access to a private channel where they obtained information about UAE residents and foreigners living in or visiting the country,” Resecurity said.

“This could be achieved through third-party data breaches, business email compromises, databases purchased on the dark web, or other sources.”

Smishing Triad’s latest campaign coincides with the launch of a new underground market known as OLVX Marketplace (“olvx[.]cc”) that operates on the clear web and claims to sell tools to carry out online fraud, such as phish kits, web shells, and compromised credentials.

“While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX’s ability to maintain and attract customers to the platform,” ZeroFox said.

Cyber Criminals Misuse Predator Bot Detection Tool for Phishing Attacks

The disclosure comes as Trellix revealed how threat actors are leveraging Predator, an open-source tool designed to combat fraud and identify requests originating from automated systems, bots, or web crawlers, as part of various phishing campaigns.

The starting point of the attack is a phishing email sent from a previously compromised account and containing a malicious link, which, when clicked, checks if the incoming request is coming from a bot or a crawler, before redirecting to the phishing page.

The cybersecurity firm said it identified various artifacts where the threat actors repurposed the original tool by providing a list of hard-coded links as opposed to generating random links dynamically upon detecting a visitor is a bot.

“Cyber criminals are always looking for new ways to evade detection from organizations’ security products,” security researcher Vihar Shah and Rohan Shah said. “Open-source tools such as these make their task easier, as they can readily use these tools to avoid detection and more easily achieve their malicious goals.”