Monzo Online-Banking Customers at risk of being ‘Phished’
Monzo Online-Banking Users targeted by Phishing Attacks!
One of UK’s most popular digital-only banking platforms known as ‘Monzo’ is being targeted by a phishing attack going around, supported by a growing network of malicious websites, App users also confirmed that they have been receiving phishing messages continuously. Monzo is a 100% online banking platform with over 4 million customers and is also among the first to challenge the world’s traditional financial managing system. As this platform is said to be, mobile-only it also offers a feature-rich app, debit Mastercards, and a very thorough yet not completely flawless fraud-detection system.
As per a report released by security researcher William Thomas, there is an ongoing phishing campaign targeting users of the app and attempting to steal their accounts. Additionally, the banking platform also posted on Twitter to warn and notify their customers about such signs of fraud activities and what not to do when receiving a message that appears suspicious.
The Process of Phishing
Thomas also explains in a new report, this process of phishing and how it begins with the arrival of an SMS text showcasing ‘Monzo’ as the sender’s name, asking the recipient to tap the link provided to reactivate their session or verify their account.
After clicking of the link, users are taken to a phishing site that displays a fake email login form which then requests their information such as the full name, phone number, and the Monzo PIN. If the details are provided, the threat actors will then gain access to everything needed to begin taking over victims’ Monzo accounts.
When installing the app on a new device, like the threat actor’s device, the service sends a device verification link for the first login to the user’s email address. However, as the threat actors now have access to victims’ email accounts, they can simply click on this “golden link” and verify their device, giving them full access to the Monzo account. The danger of gaining access to this link is described in the emails sent by Monzo, who warn that this link should never be shared with other people. Now, If the email account is protected by 2 Factor Authentication, Thomas unfortunately states the adversaries can likely overcome this with additional social engineering steps or by going the extra mile to employ OTP stealing bots.
Set up of Phishing Sites
Thomas informs the threat actors are using the Cazanova Morphine kit to create the Monzo phishing landing page, with some examples domains that are listed below:
- monzo-notice[.]com
- monzo-online-support[.]com
- monzo-check[.]com
- monzo-card-support[.]com
- monzo-replacement[.]com
- alert-monzo[.]com
Furthermore, the researcher also observed 4 domains on the same ASN, that has targeted users of Revolut, a popular online payments service.
- revolut-cancel-support[.]com
- revolut-cancellation[.]com
- revolut-cancel-online[.]com
- login-revolut-resolve[.]com
“Research into the domain itself via URLscan.io uncovered 33 other identical sites, dating back to 11 November 2021,” “All 34 domains were hosted on the same three CIDRs in Russian IP space with NForce Entertainment (AS43350). Interestingly, the Monzo-themed domains also used two Guangdong-based Registrars (Eranet and NiceNic).” states Thomas in his blog post report.
Mixing Chinese registrars and Russian IP addresses makes attribution hard and complicate take-down actions, extending the uptime of the phishing sites.
What Now?
It is said that when Monzo wants to inform their users about anything, it uses built-in app notifications or the account portal on the official website. They DO NOT use SMS to send notifications, and the platform would also never urge a customer to follow any links from outside the app. To conclude it is advised that if in case they have tapped on these links and provided any login details to the actors, they need to reset their account password as soon as possible and activate MFA on both their email and Monzo account.
Source: