SVB

The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, it's becoming an excellent opportunity.

As multiple security researchers report, threat actors are already registering suspicious domains, conducting phishing pages, and gearing up for business email compromise (BEC) attacks.

These campaigns aim to steal money, steal account data, or infect targets with malware.

SVB going defunct

SVB was a U.S.-based commercial bank, the 16th largest in the country, and the largest bank by deposits in Silicon Valley, California.

On March 10, 2023, the bank failed after a run on its deposits. This failure was the largest of any bank since the 2007-2008 financial crisis and the second-largest in U.S. history.

This event has impacted many businesses and people in the technology, life science, healthcare, private equity, venture capital, and premium wine industries who were customers of SVB.

The chaotic situation is further worsened by the prevailing elements of urgency, uncertainty, and the significant amounts of money deposited at the bank.

Scammers jump at the opportunity

Security researcher Johannes Ulrich reported yesterday that threat actors are jumping at the opportunity, registering suspicious domains related to SVB that are very likely to be used in attacks.

Daily suspicious domain registration rates
Daily suspicious domain registration rates (SANS ISC)

Some of the examples given in a report published on the SANS ISC website include:

  • login-svb[.]com
  • svbbailout[.]com
  • svbcertificates[.]com
  • svbclaim[.]com
  • svbcollapse[.]com
  • svbdeposits[.]com
  • svbhelp[.]com
  • svblawsuit[.]com

Ulrich warned that the scammers might attempt to contact former clients of SVB to offer them a support package, legal services, loans, or other fake services relating to the bank's collapse.

An attack already seen in the wild is from BEC threat actors who are impersonating SVB customers and telling customers that they need payments sent to a new bank account after the bank's collapse.

However, these bank accounts belong to the threat actors, who steal payments meant to go to the legitimate company.

Claim about an SVB-themed BEC attempt
Claim about an SVB-themed BEC attempt (Mastodon)

Cyber-intelligence firm Cyble published a similar report today exploring developing SVB-themed threats, warning about these additional domains:

  • svbdebt[.]com
  • svbclaims[.]net
  • svb-usdc[.]com
  • svb-usdc[.]net
  • svbi[.]io
  • banksvb[.]com
  • svbank[.]com
  • svblogin[.]com

Many of these sites were registered on the day of the bank's collapse, March 10, 2023, and are already hosting cryptocurrency scams.

These scam pages tell SVB customers that the bank is distributing USDC as part of a "payback" program.

"March 13 2023 - Silicon Valley Bank is actively distributing USDC as part of the SVB USDC payback program to eligible USDC holders. USDC payouts can only be claimed once per wallet," claims the cryptocurrency scam.

However, clicking on the site's 'Click here to claim' button brings up a QR code that attempts to compromise Metamask, Exodus, and the Trust Wallet crypto wallets when scanned.

Fraudulent cryptocurrency rewards page
Fraudulent cryptocurrency rewards page (Cyble)

In another case, the threat actors behind "cash4svb.com" attempt to phish former SVB customers' contact information who are trade creditors or lenders, promising them a return between 65% and 85%.

Phishing page using a refund lure
Phishing page using a refund lure (Cyble)

Circle scams

Peer-to-peer payments firm Circle, which manages the popular stablecoin USDC had a cash reserve of $3.3 billion in the SVB bank. However, the SVB collapse has created uncertainty despite the firm's assurances of USDC's liquidity.

This uncertainty has led to the creation of a network of cryptocurrency scam sites using website domains like:

  • redeemed-circle[.]com
  • circle-reserves[.]com
  • circleusdcoin[.]com
  • circle-mintusdc[.]com
  • svb-circle[.]com
  • circle.web3claimer[.]net
  • usd-circle[.]com
Fake Circle rewards page
Fake Circle rewards page (Cyble)

These websites have no real affiliation with Circle, and their sole purpose is to steal their visitors' wallets, digital assets, or personal details.

Email security firm Proofpoint has also spotted Circle scams stemming from the SVB events, sharing on Twitter a sample of phishing emails sent to targets.

Circle scam email
Circle-themed scam email (Proofpoint)

If you are a former SVB customer, the best thing you can do is to stay calm and follow the official communication channels of the U.S. government and the FDIC.

Ignore any emails from unusual domains, and triple-check any requests from alleged SVB banking customers who request that you change bank account details for payments.

The best method to confirm payment changes is to reach out to your contact via phone, not email, as email accounts can be compromised during these attacks.

Related Articles:

US moves to recover $2.3 million from "pig butchers" on Binance

Hackers impersonate U.S. government agencies in BEC attacks

Millions of Docker repos found pushing malware, phishing sites

New Latrodectus malware attacks use Microsoft, Cloudflare themes

Google ad impersonates Whales Market to push wallet drainer malware