Scammers already exploiting Silicon Valley Bank collapse
Email attacks already seen in the wild
Criminals are already taking advantage of the collapse of Silicon Valley Bank (SVB), which has affected a number of tech firms across the world.
Several security researchers have reported that threat actors are registering suspicious domains, setting up phishing pages and preparing for business email compromise (BEC) attacks.
The objective is to steal money, acquire account data or infect targets with malware.
Formerly among the 20 largest banks in the USA, SVB was known for its focus on lending to startups. It provided banking services for almost half of the US technology and healthcare companies that both received backing from venture capitalists and went public last year.
However, the bank collapsed on 10th March. That was due to its inability to secure $2.3 billion to compensate for losses it incurred from the sale of assets - mainly US government bonds that had been affected by increased interest rates.
According to Johannes Ullrich, dean of research for SANS Technology Institute, several suspicious domains have been registered in the incident's aftermath.
Examples include:
- login-svb[.]com
- svbcertificates[.]com
- svbbailout[.]com
- svbclaim[.]com
- svbdeposits[.]com
- svbcollapse[.]com
- svblawsuit[.]com
- svbhelp[.]com
These are in addition to a host of other domains identified in a similar report from cyber-intelligence firm Cyble.
Ulrich warned that the attackers could try to get in touch with SVB's former clients and offer them a support package, loans, legal advice or other fraudulent services associated with the bank's collapse.
BEC attacks have already been seen in the wild. Criminals will impersonate former SVB clients and instructing their own customers to forward incoming payments to a new bank account controlled by the threat actor.
Many of the new domains were registered on 10th March, the day of the bank's collapse, and are currently promoting cryptocurrency scams by falsely asserting that SVB is compensating its customers through pay-outs in the stablecoin USD Coin (USDC).
Circle, a peer-to-peer payments company that oversees USDC, had a cash reserve of $3.3 billion in SVB. The bank's collapse has caused uncertainty, despite the company's reassurances about USDC's liquidity.
New domains, such as redeemed-circle[.]com and circle-reserves[.]com, have emerged with the sole purpose of stealing wallets and sensitive data.
Email security company Proofpoint also reported detecting scams linked to USDC.
"This campaign used messages that impersonated several cryptocurrency brands, which were sent via malicious SendGrid accounts and containing SendGrid URLs. The URLs redirected to several different domains that asked the victim to claim their crypto/redeem to USD," Proofpoint tweeted.
"Clicking the button would try to open a DeFi URL, so the victim would need to have a DeFi handler installed, such as MetaMask wallet. The victim would then be lured to install a smart contract that would transfer the contents of the victim's wallet to the attacker."
If you are an SVB customer, be vigilant about suspicious emails and domains linked to SVB, particularly those that mention alterations in bank information.
Whenever possible, verify any payment modifications over the phone instead of email.