Attackers Target Top UK Bank With Phishing Campaigns

About the campaign

• The phishing process starts with an SMS displaying Monzo as the sender's name. It asks the recipient to click on the provided link to re-activate the session or verify the account.
• Subsequently, the recipients are taken to a phishing site showing a fake email login form that requests details about their Monzo account, such as login credentials, phone number, full name, and PIN.
• If these details are provided, the attackers now have everything they need to take over Monzo accounts.

How do attackers gain full access?

• When the Monzo app is installed on an attacker's devices, the service sends a device verification link for the first login to the user's email address. 
• Since the attackers have access to victims' email accounts, they can click on this link and verify their device. This allows the attacker to gain full access to the account.
• Further, even if the email account is secured using a 2FA, the attackers can bypass it with additional social engineering steps or by using OTP stealing bots.

Phishing pages

• Some of the domains include monzo-notice[.]com, monzo-online-support[.]com, and monzo-check[.]com.
• In addition, the four domains on the same ASN have been observed targeting users of the online payments service, Revolut. These domains further revealed 33 other identical sites, dating back to November 11, 2021.
• All 34 domains were hosted on three CIDRs in the Russian IP space with NForce Entertainment (AS43350). The Monzo-themed domains used two Eranet and NiceNic Registrars from China.
• The reason behind using Russian IP addresses and Chinese registrars is to make attribution complicated.

Conclusion