The Silicon Valley Bank (SVB) collapse on March 10, 2023 has sent turmoil across the global financial system, but for hackers, scammers, and phishing campaigns, it is turning out to be a golden opportunity.
As several security researchers report, threat actors are already registering suspicious domains, running phishing pages, and preparing for business email compromise (BEC) attacks.
These campaigns aim to steal money, steal account data, or infect targets with malware.
SVB is going away
SVB was a US-based commercial bank, the 16th largest in the country and the largest bank by deposits in Silicon Valley, California.
On March 10, 2023, the bank failed after a run on its deposits. This failure was the largest of any bank since the 2007-2008 financial crisis and the second largest in US history.
This event has impacted many companies and individuals in the technology, life sciences, healthcare, private equity, venture capital, and premium wine industries who were clients of SVB.
The chaotic situation is further aggravated by the prevailing elements of urgency, uncertainty and the significant amounts of money deposited in the bank.
Scammers seize the opportunity
Security researcher Johannes Ulrich reported yesterday that threat actors are seizing the opportunity, registering suspicious SVB-related domains that are highly likely to be used in attacks.
Some of the examples given in a report published on the SANS ISC website include:
- login-svb[.]com
- svbbailout[.]com
- svb certificates[.]com
- svbclaim[.]com
- svbcollapse[.]com
- svbdeposits[.]com
- svbahelp[.]com
- demand[.]com
Ulrich warned that scammers could try to contact former SVB clients to offer them a support package, legal services, loans or other bogus services related to the bank’s collapse.
One attack that has already been seen in the wild comes from BEC threat actors posing as SVB customers and telling customers that they need payments to be sent to a new bank account after the bank collapses.
However, these bank accounts belong to the threat actors, who steal the payments intended for the legitimate company.
Cyberintelligence firm Cyble released a similar report today exploring the development of SVB-themed threats and warning of these additional domains:
- svbdeuda[.]com
- svbclaims[.]net
- svb-usdc[.]com
- svb-usdc[.]net
- svbi[.]I
- banksvb[.]com
- svbank[.]com
- svblogin[.]com
Many of these sites registered on the day of the bank collapse, March 10, 2023, and already host cryptocurrency scams.
These fraudulent pages tell SVB customers that the bank is distributing USDC as part of a “payment” program.
“March 13, 2023 – Silicon Valley Bank is actively distributing USDC as part of SVB’s USDC redemption program to eligible USDC holders. USDC payments can only be claimed once per wallet,” cryptocurrency scam claims .
However, clicking the site’s “Click Here to Claim” button brings up a QR code attempting to compromise Metamask, Exodus, and Trust Wallet crypto wallets when scanned.
In another case, the threat actors behind “cash4svb.com” attempt to impersonate the contact information of former SVB customers who are trade creditors or lenders, promising them a 65-85% return.
circular scams
Peer-to-peer payments firm Circle, which runs the popular USDC stablecoin, had a cash reserve of $3.3 billion at SVB bank. However, the collapse of SVB has created uncertainty despite company assurances about USDC liquidity.
This uncertainty has led to the creation of a network of cryptocurrency scam sites using website domains such as:
- redeemed circle[.]com
- circle-reserves[.]com
- circleusdcoin[.]com
- circle-mintusdc[.]com
- svb-circle[.]com
- circle.web3claimer[.]net
- usd-circle[.]com
These websites have no actual affiliation with Circle and their sole purpose is to steal their visitors’ wallets, digital assets, or personal data.
Email security firm Proofpoint also spotted Circle scams stemming from the SVB events, sharing On twitter a sample of phishing emails sent to targets.
If you are a former SVB customer, the best thing to do is to remain calm and follow the official channels of communication from the US government and the FDIC.
Ignore any email from unusual domains and triple check any requests from so-called SVB bank customers asking you to change bank account details for payments.
The best method to confirm payment changes is to contact your contact by phone, not email, as email accounts can be compromised during these attacks.
