Cybercriminals exploit SVB collapse to steal money and data

The Silicon Valley Bank (SVB) collapse on March 10, 2023 has sent turmoil across the global financial system, but for hackers, scammers, and phishing campaigns, it is turning out to be a golden opportunity.

As several security researchers report, threat actors are already registering suspicious domains, running phishing pages, and preparing for business email compromise (BEC) attacks.

These campaigns aim to steal money, steal account data, or infect targets with malware.

SVB is going away

SVB was a US-based commercial bank, the 16th largest in the country and the largest bank by deposits in Silicon Valley, California.

On March 10, 2023, the bank failed after a run on its deposits. This failure was the largest of any bank since the 2007-2008 financial crisis and the second largest in US history.

This event has impacted many companies and individuals in the technology, life sciences, healthcare, private equity, venture capital, and premium wine industries who were clients of SVB.

The chaotic situation is further aggravated by the prevailing elements of urgency, uncertainty and the significant amounts of money deposited in the bank.

Scammers seize the opportunity

Security researcher Johannes Ulrich reported yesterday that threat actors are seizing the opportunity, registering suspicious SVB-related domains that are highly likely to be used in attacks.

Daily Suspicious Domain Registration Fees
Daily Suspicious Domain Registration Fees (SAN ISC)

Some of the examples given in a report published on the SANS ISC website include:

  • login-svb[.]com
  • svbbailout[.]com
  • svb certificates[.]com
  • svbclaim[.]com
  • svbcollapse[.]com
  • svbdeposits[.]com
  • svbahelp[.]com
  • demand[.]com

Ulrich warned that scammers could try to contact former SVB clients to offer them a support package, legal services, loans or other bogus services related to the bank’s collapse.

One attack that has already been seen in the wild comes from BEC threat actors posing as SVB customers and telling customers that they need payments to be sent to a new bank account after the bank collapses.

However, these bank accounts belong to the threat actors, who steal the payments intended for the legitimate company.

Complaint about an SVB-themed BEC attempt
Complaint about an SVB-themed BEC attempt (Mastodon)

Cyberintelligence firm Cyble released a similar report today exploring the development of SVB-themed threats and warning of these additional domains:

  • svbdeuda[.]com
  • svbclaims[.]net
  • svb-usdc[.]com
  • svb-usdc[.]net
  • svbi[.]I
  • banksvb[.]com
  • svbank[.]com
  • svblogin[.]com

Many of these sites registered on the day of the bank collapse, March 10, 2023, and already host cryptocurrency scams.

These fraudulent pages tell SVB customers that the bank is distributing USDC as part of a “payment” program.

“March 13, 2023 – Silicon Valley Bank is actively distributing USDC as part of SVB’s USDC redemption program to eligible USDC holders. USDC payments can only be claimed once per wallet,” cryptocurrency scam claims .

However, clicking the site’s “Click Here to Claim” button brings up a QR code attempting to compromise Metamask, Exodus, and Trust Wallet crypto wallets when scanned.

Scam Crypto Rewards Page
Scam Crypto Rewards Page (Cyble)

In another case, the threat actors behind “” attempt to impersonate the contact information of former SVB customers who are trade creditors or lenders, promising them a 65-85% return.

Phishing page using a refund lure
Phishing page using a refund lure (Cyble)

circular scams

Peer-to-peer payments firm Circle, which runs the popular USDC stablecoin, had a cash reserve of $3.3 billion at SVB bank. However, the collapse of SVB has created uncertainty despite company assurances about USDC liquidity.

This uncertainty has led to the creation of a network of cryptocurrency scam sites using website domains such as:

  • redeemed circle[.]com
  • circle-reserves[.]com
  • circleusdcoin[.]com
  • circle-mintusdc[.]com
  • svb-circle[.]com
  • circle.web3claimer[.]net
  • usd-circle[.]com
Fake Circle Rewards Page
Fake Circle Rewards Page (Cyble)

These websites have no actual affiliation with Circle and their sole purpose is to steal their visitors’ wallets, digital assets, or personal data.

Email security firm Proofpoint also spotted Circle scams stemming from the SVB events, sharing On twitter a sample of phishing emails sent to targets.

Scam Email Circle
Circle Theme Scam Email (test point)

If you are a former SVB customer, the best thing to do is to remain calm and follow the official channels of communication from the US government and the FDIC.

Ignore any email from unusual domains and triple check any requests from so-called SVB bank customers asking you to change bank account details for payments.

The best method to confirm payment changes is to contact your contact by phone, not email, as email accounts can be compromised during these attacks.

Source link

James D. Brown
James D. Brown
Articles: 7753