Ever wonder where those toll booth phishing scam tests are coming from?

If you are using SNS it’s possible they are coming from your AWS account.

https://docs.aws.amazon.com/sns/latest/dg/sns-mobile-phone-number-as-subscriber.html

How it works:

It can start off like a simple Bastion or EC2 instance jacking then, assuming you didn’t really dial in your permissions when assigning them to the EC2 instance once they have SSH access to the EC2 instance they can then make requests that have the same permissions as the role assigned to that EC2 instance.

Leaked AWS creds with the right permissions can do the same thing, but you're probably sick of me constantly reminding you to not hard code your credentials or use IAM Identity Center to force MFA when using AWS CLI so I will move on quickly.

Detecting It:

Keep an eye on those metrics.

Check Cloud Trail to see what you are sending.

Need a hand?

Think you might be part of the spam text message problem? Do you just want a quick checkup to be sure? Feel free to reach out to me. This is what I do for a living.

~Cheers!