After news broke late last week about Silicon Valley Bank’s bank run and collapse, security researchers started warning SVB account holders about incoming SVB-related scams and phishing attempts.
Another reminder: just because caller ID says FDIC, SVB, or a phone number you trust, it doesn’t mean the call is for sure legit. Caller ID can be spoofed — we can make caller ID display any phone number when placing a call. Use another method of pic.twitter.com/HZQfoo6WDm… https://t.co/QOF3xDNzJC
— Rachel Tobac (@RachelTobac) March 11, 2023
Expect different threat actors to exploit the current situation with SVB. Started to see some infrastructure being setup that could be used for phishing / scams. login-svb[.]com cash4svb[.]com svbclaim[.]com svbdebt[.]com pic.twitter.com/rn9ltBsxDU
— Jaime Blasco (@jaimeblascob) March 12, 2023
New domain registrations relating to Silicon Valley Bank are emerging. Some could be #phishing campaigns. Listed below is what we’re seeing now. Keep in mind not all are scammy, and not all scammy domains targeting SVB will have SVB-related terms: https://t.co/mHjfZQIQAf pic.twitter.com/Au7AbA0GhX
— SecuritySnacks (@SecuritySnacks) March 13, 2023
Proofpoint researchers flagged a campaign using messages supposedly coming from several cryptocurrency brands, trying to trick users into installing a Smart Contract that would transfer the contents of their wallet to the attacker’s wallet.
“Once Circle announced they had cash reserves in SVB, the threat actor started spoofing the fintech company, using a lure that promised the victim could redeem USDC to USD at 1:1 rate,” they noted.
Then there’s this email campaign spotted by INKY:
“Several INKY users received fake DocuSign notifications that appeared to come from Silicon Valley Bank. All phishing emails were spoofed to look like they came from dse_na2@docusign[.]net, the real and legitimate sending email address for DocuSign notifications. An examination of email headers revealed that these attacks actually come from several virtual private servers associated with newly created domains,” the company says.
Clicking on the “Review Documents” button takes users through a few redirects and finally to a clone of the legitimate Microsoft login page, designed to send the entered login credentials to the bad actors. (The same phishing campaign seems to have been documented by Cloudflare, after it targeted the company CEO.)
Scammy sites have been popping up:
— Guardio (@GuardioSecurity) March 16, 2023
What to do?
Mitiga CTO Ofer Maor has provided advice for companies that banked with SVB on how to safeguard themselves, their customers and suppliers, by increasing security awareness, making sure their processes around payment changes are robust, and by setting up additional monitoring of both account activity (phishing) and financial activity (BEC scams).
Jennifer Zeman, Head of Email Security Product Management at Symantec, has also provided pointers for both email security teams and finance departments.