SVB's collapse and the potential for fraud.
the cyberwire logoMar 14, 2023

Bank shutdown will inevitably attract scammers.

SVB's collapse and the potential for fraud.

Security firms are warning that cybercriminals are gearing up to take advantage of the disruption surrounding the collapse and shutdown of Silicon Valley Bank (SVB).

BEC attacks expected.

Johannes Ullrich from the SANS Institute is tracking a spike in newly registered SVB-related domains, including “login-svb[.]com,” “svbbailout[.]com,” “svbcertificates[.]com.” It’s not clear how many of these domains were created by scammers, but Ullrich expects to see business email compromise (BEC) attacks taking advantage of the situation for several reasons:

  1. “It involves a lot of money
  2. “Urgency: Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now?
  3. “Uncertainty: For many, it isn't clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?)”

Likewise, Ofer Maor, Chief Technology Officer at Mitiga, warns that BEC scammers are going to exploit the countless money transfers taking place during the coming weeks:

“We are expecting a rise in BEC attacks taking advantage of the current situation. Please alert your finance team! In the next few days and weeks, many organizations are going to be changing their primary bank account, following the current situation in Silicon Valley Bank. This is especially relevant for SaaS vendors (and customers).

“During this time, we are going to see many finance teams bombarded with account change requests and asks to urgently modify wire destinations. This havoc fuels attackers. It makes it much easier for attackers to launch business email compromise attacks, requesting account changes, which will be all processed as part of this situation, and taking advantage of confusion and chaos in the markets.

“We strongly recommend you alert your finance teams to be extra careful with all inbound and outbound account change requests, and to reiterate the procedures you have for out of bound verification of new accounts.”

Arctic Wolf offers the following recommendations to help users avoid falling for these attacks:

  • “Ensure users know how to identify a phishing email and where to report it. 
  • “Provide examples of what users could expect and remind users to remain vigilant when receiving an email from an unknown or external source. 
  • “Be wary of messages that create a sense of urgency and ask you to do something quickly, especially pertaining to SVB. 
  • “Be cognizant that threat actors may use personal social media accounts or text messages to contact you. 
  • “Review policies for verification of any changes to existing invoices, bank deposit information, and contact information.”

(Added, 6:00 PM ET, March 14th, 2023. Tonia Dudley, CISO of Cofense, wrote to offer observations about the risk of opportunistic social engineering:

"The recent collapse of Silicon Valley Bank (SVB) has caused rippling effects across the tech industry, as threat actors are taking this as an opportunity to steal money, access account data and infect targets with malware. Cybercriminals are conducting phishing campaigns and business email compromise (BEC) attacks, posing a major security risk to SVB and former customers alike as BEC amounts to an estimated $500 billion-plus annually lost to fraud.

"Companies must be well-equipped to recognize possible dangers by understanding when it is okay to share credentials and reporting any errors to the security team. Organizations should also employ two-factor authentication or secondary security controls to validate requests for changes to account information and maintain system updates. Former SVB customers should be observant of any payment changes and reach out to their contact over the phone rather than email communication.")

(Added, 6:30 PM ET, March 14th, 2023. According to Adi Ikan, CEO and Co-founder of Veriti, notes that the phishing that's used the Silicon Valley Bank as a lure has been overwhelmingly concentrated in the United States. "Phishing campaigns are leveraging SVB’s recent collapse to impersonate the bank and its online services, with the intention of tricking victims into divulging their account information or login credentials," Ikan wrote. "We have also observed a significant geographical impact with an increase in the registration of fake phishing domains in the U.S. (88%), Spain (7%), France (3%) and Israel (2%), and we anticipate this number to grow. Our research suggests that one of the attackers is from Turkey, as one local target was lured to the website a few hours after the attacking group bought it.")

Added, March 17th, 2023: More SVB-themed phishing.

INKY describes a phishing campaign that’s impersonating Silicon Valley Bank (SVB) with phony DocuSign notifications:“Email recipients are told that the ‘KYC Refresh Team’ sent two documents (KYC Form.docx & Change of Contact.docx) that require a signature. ‘KYC’ is a banking term that stands for ‘Know Your Customer’ or ‘Know Your Client.’ It’s a mandatory process banks use to verify an account holder’s identity. Of course, in this case, the phisher is using it to convey a sense of legitimacy to its intended victims.” If the recipient clicks the link, they’ll be taken to a spoofed Microsoft login page designed to steal their credentials.