Cybercriminals target SVB customers with BEC and cryptocurrency scams

Cybercriminals have started taking advantage of Silicon Valley Bank’s (SVB) downfall to carrying out scams that can steal money and bank account information, or infect customers’ systems with malware.

SVB was shut down on March 10 by the California Department of Financial Protection and Innovation, after the bank failed to raise capital to keep running.

SVB customers are expected to transfer their financial operations to other banks in the coming weeks. This means these customers will receive notifications including the new bank account numbers from their new bank. Hackers are using this as an opportunity by posing as banks and carrying out phishing and business email compromise (BEC) campaigns that target SVB customers.

Suspicious domains registered

Security researchers have found that threat actors have already registered suspicious domains and pages to carry out the attacks.

Some of the suspicious websites that have emerged are svbcollapse[.]com, svbclaim[.]com, svbdebt[.]com, svbclaims[.]net, login-svb[.]com, Svbbailout[.]com, svb-usdc[.]com, svb-usdc[.]net, svbi[.]io, banksvb[.]com, svbank[.]com, and Svblogin[.]com, according to Cyble Research & Intelligence Labs (CRIL).

Some websites emerged after March 10, right after the collapse of SVB. On March 13, the Department of the Treasury, Federal Reserve, and FDIC issued a joint statement to safeguard all depositors’ funds and ensure access to their money.

“However, despite being a relief for affected depositors, threat actors have started using this announcement to launch their malicious campaigns,” CRIL said in its report.

The SVB collapse entices threat actors as it involves a lot of money, and there is a sense of urgency and uncertainty, Johannes B Ullrich, dean of Research at SANS.edu said in a post.

“Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now? For many, it isn’t clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?),” Ullrich said.

According to the graph shared by the researcher, the largest number of domain names registered containing the name SVB was on March 12.

Cryptocurrency and BEC scams have begun

It’s not just the registration of suspicious domains, the threat actors have also begun carrying out other scams. Several cryptocurrency scams have already been identified by CRIL. In one such scam analyzed by security researchers, phishing sites such as svb-usdc[.]com, and svb-usdc[.]net have set up bogus USDC reward programs. The sites claim that the bank is actively distributing USDC as part of the SVB USDC payback program to eligible USDC holders.

USDC or the USD Coin is a digital stablecoin pegged to the US dollar. “They aim to steal cryptocurrency from the victim’s account by offering them free USDC,” CRIL said in its report.

On the phishing site, once the user clicks on “click here to claim,” a QR code is displayed. “The user is instructed to scan the QR code using any cryptocurrency wallet, such as Trust, Metamask, or Exodus. However, scanning the code will result in the compromise of the user’s wallet account,” CRIL said in its report.

Similar, phishing sites that carry out the same malicious activity were observed by CRIL soon after Circle, the issuer of USD coins, announced that they held $3.3 billion worth of USDC with SVB and would resume their operations. The phishing sites pretended to be Circle and lured victims of promoting a deal of 1 USDC for $1.

Apart from cryptocurrency scams, BEC scams that target SVB customershave have also surfaced. A post shared on Mastodon by Peter Bronez, enterprise practice lead at venture capital firm In-Q-Tel, highlights how SVB customers are receiving new non-SVB account details from their existing vendors to facilitate payments. However, these account details actually belong to the threat actors and if customers transfer payments to the accounts, they will likely never see the money again. Other users have also reported similar scams on platforms such as Mastodon, Twitter, and LinkedIn.

SVB Customers need to be vigilant 

SVB customers need to be vigilant of these attacks. Experts are advising that customers directly contact their vendors before changing any account details and not rely purely on email for any such change requests.

“Given the recent buzz surrounding the collapse of SVB, which will have long-lasting effects on affected organizations, these entities are likely to become targets for TAs (threat actors) who may employ malware and phishing attacks to victimize them,” CRIL said.