Mobile Banking Phishing Campaign

-

 

There is no doubt that mobile banking has taken the world by storm. Another growth industry is digital-only banks, especially in the UK. As of January 2022, over a quarter (27%) of British adults have opened an account with a digital-only bank, equating to 14 million people. This has created a new pool of targets for phishing threat actors to create new campaigns for fraud. This blog will explore a recent and ongoing campaign targeting mobile users and digital-only banks. 

Monzo is a popular digital-only bank in the UK. For years, users are able to open an account without having to visit a branch just by walking through the steps in the mobile application. One of the key parts to creating a Monzo account is verifying your device. Monzo will send you a "golden link" which you use to login to for the first time (see Fig. 1). This is what the phishing threat actors are after.

Fig. 1 - Example "golden link" sent via Monzo to login to bank accounts

Fig. 2 - Example SMS phishing texts in replies to an alert sent out by Monzo on Twitter

I was recently sent an example of a Monzo phishing page to investigate. By walking through the steps I learned how the phishing page worked. It first takes your email, then collects your email account credentials, then asks for your Monzo PIN, followed by your name and phone number. These details are enough to compromise a users email account and Monzo account. Additional social engineering steps might be involved, but there are many one-time passcode (OTP) stealing bots and other guides on how to trick victims into giving up access to the attacker.

Fig. 3 - Monzo bank phishing page

Research into the domain itself via URLscan.io uncovered 33 other identical sites, dating back to 11 November 2021 (see Fig. 4). All 34 of the domains were hosted on the same three CIDRs in Russian IP space with NForce Entertainment (AS43350). Interestingly, the Monzo-themed domains also used two Guangdong-based Registrars (Eranet and NiceNic). Perhaps by using Russian IP addresses and Chinese registrars, these phishers are hoping to obscure attribution or the more likely event that they just want it to be as difficult as possible to submit a takedown request - thwarting attribution here seems to just be an added bonus.

Fig. 4 - Number of Monzo Phishing pages created (cumulative)

Analysis of the phishing kits deployed on these sites themselves revealed links to the Cazanova Morphine kit, detailed by the good people at WMC Global here. You don't have to look too hard to find Cazanova's fingerprints all over this kit (see Fig. 5).

Fig. 5 - Cazanova Morphine kit targeting Monzo bank customers

Digging some more into the ASN on URLscan.io uncovered some additional Revolut-themed phishing pages, again targeting mobile digital-only banking customers (see Fig. 6). Analysis of the domain registrar also revealed the use of NiceNic again, same as the Monzo phish and indicating it is likely the same phisher behind both campaigns.

Fig. 6 - Revolut-themed phishing page

Indicators of Compromise

  • monzo-card-alerts[.]com
  • monzo-support-online[.]com
  • monzo-check[.]com
  • monzo-card-support[.]com
  • monzo-review-account[.]com
  • monzo-cancel-online[.]com
  • monzo-support-review[.]com
  • monzo-cancel[.]com
  • monzo-cancel-card[.]com
  • alert-monzo[.]com
  • monzo-online-support[.]com
  • monzo-reviews[.]com
  • monzo-address-uk[.]com
  • monzo-alerts[.]com
  • monzo-card-review[.]com
  • monzo-cancellation[.]com
  • monzo-accounts[.]com
  • monzo-alert[.]com
  • monzo-account-review[.]com
  • monzo-card-cancellation[.]com
  • monzo-notice[.]com
  • monzo-cancel-order[.]com
  • monzo-review[.]com
  • monzo-replacements[.]com
  • monzo-replacement[.]com
  • monzo-order[.]com
  • monzo-plus[.]com
  • monzo-limited[.]com
  • monzo-dispatch[.]com
  • monzo-card-service[.]com
  • monzo-dispatched[.]com
  • monzo-card-cancel[.]com
  • monzo-order-replace[.]com
  • revolut-cancel-support[.]com
  • revolut-cancellation[.]com
  • revolut-cancel-online[.]com
  • login-revolut-resolve[.]com
  • 91.212.150.0/24
  • 93.157.62.0/24
  • 93.157.63.0/24
Update 18.02.2022 - Added SMS phishing texts from replies to Monzo Twitter alert

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more