SVB Customers - Fraud Targets

11000905285?profile=RESIZE_400xCybercriminals have started taking advantage of Silicon Valley Bank’s (SVB) downfall to carrying out scams that can steal money and bank account information or infect customers’ systems with malware.  SVB was shut down on 10 March 2023 by the California Department of Financial Protection and Innovation and the Feds after the bank failed to raise capital to keep running.[1]

See:  https://redskyalliance.org/xindustry/svb-bank-run-not-good

SVB customers are expected to transfer their financial operations to other banks in the coming weeks.  This means these customers will receive notifications including the new bank account numbers from their new bank.  Hackers are using this as an opportunity by posing as banks and carrying out phishing and business email compromise (BEC) campaigns, targeting SVB customers.

Security researchers have found that threat actors have already registered suspicious domains and pages to carry out the attacks.  Some of the suspicious websites that have emerged are:

  • svbcollapse[.]com
  • svbclaim[.]com
  • svbdebt[.]com
  • svbclaims[.]net
  • login-svb[.]com
  • Svbbailout[.]com
  • svb-usdc[.]com
  • svb-usdc[.]net
  • svbi[.]io
  • banksvb[.]com
  • svbank[.]com
  • Svblogin[.]com

These domains presented according to Cyble Research & Intelligence Labs (CRIL).  Some websites emerged immediately after the collapse of SVB.  On 13 March 2023, the Department of the Treasury, Federal Reserve, and FDIC issued a joint statement to safeguard all depositors’ funds and ensure access to their money.

However, despite being a relief for affected depositors, threat actors have started using this announcement to launch their malicious campaigns.  The SVB collapse entices threat actors as it involves a lot of money and creates a sense of urgency and uncertainty.  Many companies and individuals employed by companies have questions about how to pay urgent bills.   Will my employer be able to make payroll? Is there anything I need to do right now?   For many, it isn't clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?).

It is not just the registration of suspicious domains; the threat actors have also begun carrying out other scams.  Several cryptocurrency scams have already been identified.  In one such scam analyzed by security researchers, phishing sites such as svb-usdc[.]com and svb-usdc[.]net have set up bogus USDC reward programs.  The sites claim the bank distributes USDC as part of the SVB USDC payback program to eligible USDC holders.  USDC, or the USD Coin, is a digital stablecoin pegged to the US dollar.  The scammers aim to steal cryptocurrency from the victim’s account by offering them free USDC.

On the phishing site, once the user clicks on “click here to claim”, a QR code is displayed.  The user is instructed to scan the QR code using any cryptocurrency wallet, such as Trust, Metamask, or Exodus.  However, scanning the code will compromise the user’s wallet account, per investigators following the cyber threat actors.

Similar phishing sites that carry out the same malicious activity were observed soon after Circle, the issuer of USD coins, announced that they held $3.3 billion worth of USDC with SVB and would resume their operations.  The phishing sites pretended to be Circle and lured victims, promoting a deal of one (1) USDC for $1.00.

In addition to cryptocurrency scams, BEC scams have also surfaced, targeting SVB customers.  SVB customers are receiving new non-SVB account details from their existing vendors to facilitate payments.  However, these account details are actually of the threat actors, and if the customer transfers the payment to the account, they will likely never see the money again.  Other users have also reported similar scams on platforms such as Mastodon, Twitter, and LinkedIn.

SVB customers need to be vigilant of these attacks. Experts are advising that customers directly contact their vendors before changing any account details and do not purely rely on emails for any such change requests.  Due to the recent news (true and otherwise) surrounding the collapse of SVB, which will have long-lasting effects on affected organizations, these entities are likely to become targets for cyber threat actors who may use malware and phishing attacks to victimize them.

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

[1] https://www.oodaloop.com/technology/2023/03/15/cybercriminals-target-svb-customers-with-bec-and-cryptocurrency-scams/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!