Security firms are warning that cybercriminals are preparing to take advantage of the disruption surrounding the collapse and closure of Silicon Valley Bank (SVB).
BEC attacks are expected.
Johannes Ullrich of the SANS Institute is tracking an increase in newly registered SVB-related domains, including “login-svb[.]com”, “svbbailout[.]com”, “svbcertificates[.]com.” It’s unclear how many of these domains were created by scammers, but Ullrich expects to see business email compromise (BEC) attacks take advantage of the situation for several reasons:
- “It’s about a lot of money.
- “Urgency: Many companies and people employed by companies have doubts about how to pay urgent bills. Will my employer be able to do the payroll? Is there something I should do now?
- “Uncertainty: For many, it is unclear how to contact SVB, which website to use, or which emails to expect (or where they will come from?)”
Likewise, Ofer Maor, Mitiga’s CTO, warns that BEC scammers are going to exploit the countless money transfers that will take place over the next few weeks:
“We expect an increase in BEC attacks taking advantage of the current situation. Tell your finance team! In the coming days and weeks, many organizations will be changing their primary bank account, following the current situation at Silicon Valley Bank. This is especially relevant for SaaS providers (and customers).
“During this time, we are going to see many finance teams bombarded with account change requests and requests to urgently change transfer destinations. This chaos feeds the attackers. It makes it much easier for attackers to launch commercial email compromise attacks, request account changes, which will be processed as part of this situation, and take advantage of the confusion and chaos in the marketplaces.
“We strongly recommend that you alert your finance teams to be very careful with all incoming and outgoing account change requests, and to reiterate the procedures you have for external verification of new accounts.”
Arctic Wolf offers the following recommendations to help users avoid falling for these attacks:
- “Make sure users know how to identify a phishing email and where to report it.
- “Provide examples of what users can expect and remind them to stay tuned when they receive an email from an unknown or external source.
- “Watch out for messages that create a sense of urgency and ask you to do something quickly, especially regarding SVB.
- “Keep in mind that threat actors may use personal social media accounts or text messages to contact you.
- “Please review the policies to verify any changes to existing invoices, bank deposit information, and contact information.”
(Added, 6:00 pm ET, March 14, 2023. Tonia Dudley, CISO at Cofense, wrote to offer observations on the risk of opportunistic social engineering:
“The recent collapse of Silicon Valley Bank (SVB) has caused a ripple effect throughout the tech industry, as threat actors are using this as an opportunity to steal money, access account data, and infect targets with malware. Cybercriminals are conducting phishing and commercial email (BEC) campaigns, posing a significant security risk to SVB and former customers as BEC is estimated to amount to an annual loss of more than $500 billion for fraud.
“Businesses should be well-equipped to recognize potential dangers by understanding when it’s okay to share credentials and reporting any errors to the security team. Organizations should also employ two-factor authentication or secondary security controls to validate requests for changes to security information.” account and maintain system updates. Former SVB customers should be aware of any payment changes and contact your contact by phone instead of email”).
(Added, 6:30 pm ET, March 14, 2023. According to Adi Ikan, CEO and co-founder of Veriti, he points out that the phishing that has used Silicon Valley Bank as a lure has been overwhelmingly concentrated in the United States. “Phishing campaigns are taking advantage of the recent collapse of SVB to impersonate the bank and its online services, with the intent of tricking victims into divulging their account information or login credentials,” he wrote. Ikan. “We have also seen a significant geographic impact with an increase in fake phishing domain registrations in the US (88%), Spain (7%), France (3%) and Israel (2%), and we anticipate this number. grow. Our investigation suggests that one of the attackers is from Turkey, as a local target was lured to the website a few hours after the attacking group purchased it”).
Added, Mar 17, 2023: More SVB-themed phishing.
INKY describes a phishing campaign impersonating Silicon Valley Bank (SVB) with fake DocuSign notifications: “Email recipients are told that the ‘KYC Update Team’ sent two documents (KYC Form. docx and Contact Change.docx) that require a signature. ‘KYC’ is a banking term that stands for ‘Know Your Customer’ or ‘Know Your Customer’. It is a mandatory process used by banks to verify the identity of the account holder. Of course, in this case, the phisher is using it to convey a sense of legitimacy to their intended victims.” If the recipient clicks on the link, they will be taken to a spoofed Microsoft login page designed to steal their credentials.