Analysts Spot a Wave of SVB-Related Cyber Fraud Striking the
Right now, hackers are developing phishing campaigns that capitalize on the news of Silicon Valley Bank’s failure.
SVB was the 16th-largest bank in the United States, known primarily for servicing Silicon Valley startups and technology companies, including such name brands as Buzzfeed, Roblox, Trustpilot, and Roku. A chain reaction beginning with global inflation and ending with a run on deposits saw regulators shut down the bank on Friday.
SVB customers panicked over the weekend, unsure if they would recoup their deposits. And, right on cue, “hackers are exploiting the SVB situation to prey on people’s emotions,” Ironscales CEO Eyal Benishti says. “They’re incorporating SVB-relevant content into their existing, proven tactics that create a sense of urgency when their victims are distracted and less alert.”
Indeed, analysts have picked up on a wave of SVB-related attacks this week — phishing and otherwise — with dozens of new threats arising daily. And, unfortunately, perfectly legitimate companies are actually, unwittingly, helping the attackers along.
SVB Phishing Campaigns
Oren Koren, CPO and co-founder of Veriti, saw the data start to flow in right away. “Hackers started on March 10 and 11, buying domains that are very close to domains related to SVB,” he says. The domains reference payments, or a bailout, or try to mimic legitimate SVB domains — such as, Benshiti says, “svblogin[.]com” and “login-svb[.]com”. Sometimes, hackers take a less tactful approach — something like “wefinancesvbclients[.]com.”
Koren observed as the perpetrators, having registered their lookalike domains, created and tested their phishing attack flows. “Before you deploy, you create a phishing process, and then you test it on yourself to verify it works,” he explains.
In one case, a malicious actor tipped their hand by clearly testing their infrastructure from Turkey. “That was a mistake, and that’s why we know he started there, and then eventually moved to target the US,” he notes. In all, Koren has observed attacks from two major groups, in addition to some smaller entities.
As of this writing, Veriti has tracked more than 62 new domains registered for SVB-related attacks, and 200 phishing attacks in all, primarily against targets in the United States (understandable, as most of SVB’s clients are US-based companies).
Source: VeritiSource: Veriti
That hackers capitalize on important news stories is nothing new — it’s a pattern that repeats itself time and time again. What’s interesting and somewhat unique to this case is how the public may be inadvertently helping the offenders achieve their goals.
How We’re Making It Easy for the Hackers
The analysts who spoke with Dark Reading emphasized the many ways in which the public response to SVB is actually making hackers’ jobs easier.
Koren made note of websites like affectedbysvbornot.com and svbmeltdown.fyi, which have been publishing lists of customers affected by SVB, and how badly they were exposed. “It’s important from a publication perspective,” he admits, “but for attackers, those services allow them to know better whom they should target.” Attackers can use specific details from these websites to help legitimize their phishing emails, or scale ransom payments according to how much money they see these companies stowing away in their coffers.
Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, points to an even more subtle problem. As SVB customers shift to other banks, they’re having to inform clients and vendors about new channels for payments. Those notifications, sometimes, aren’t so distinguishable from phishing.
Take the perfectly honest email below — a vendor notifying clients that, due to SVB’s failure, payments should be sent to a new bank account. “As a result of that news,” it reads, “we are asking that with immediate effect your Company’s payments that we previously directed be paid to Silicon Valley Bank, now be paid in accordance with the attached letter from our Finance Department.”
“So actually, the email is extremely unhelpful,” Kalember explains, “because even if it provides the right account details, it looks so much like phishing,” from the language right on down to the minor details. “It even looks extremely malicious, because of the .docx.pdf.”
How to Prepare for the SVB Fraud Onslaught
Kalember had to deal with this payment problem first hand — not just from a security analyst’s perspective — since his own company had limited exposure to SVB. When notifying relevant clients, he advises a more careful approach. “What the email should say is: ‘Please call us in a pre-recognized fashion, to an official and indisputably legitimate phone number. And we will discuss kind where we should go from a payment perspective going forward.'”
To address the broader issue of SVB-related attacks, Benishti highlighted the need for a security-forward culture, and reviewing internal security processes. “Companies should also have robust systems in place,” he says, “to detect fake login pages and prevent credential harvesting, which will be a featured play with SVB-related scams.”
Koren thinks the solution is even simpler. He gave an example of one organization that’s already targeted in an SVB phishing campaign. “They had anti-phishing in their mail security,” he points out, alongside robust endpoint and network security solutions. “Unfortunately, in this case, their security was not maximized. The phishing email got through. They have all the technologies necessary to protect from those kinds of attacks, they specifically just hadn’t used it, because they were not aware that they have a technology to do anti-phishing.”
Most organizations, Koren says, are in a similar position. “So the goal is to maximize what you have, from a security perspective, or use automations and AI just to do that.” As SVB-related campaigns continue to rise, companies will certainly need to maximize what security they already have.