The collapse of Silicon Valley Bank and Signature Bank, combined with spreading worries of a calamitous fallout, could create new hooks for a spree of news-driven social engineering attacks.
Researchers at Proofpoint observed a phishing campaign designed to exploit the banking crisis with messages impersonating several cryptocurrencies. Threat hunters and cybersecurity professionals across multiple firms warned organizations to be on the lookout for malicious activity.
Threat actors don’t just follow the news — they react to it and identify new ways to target potential victims during moments of heightened sensitivity. Phishing and business email compromise attacks are often tailored to take advantage of the fear and uncertainty surrounding major events.
“CISA is closely monitoring the situation,” a spokesperson for the Cybersecurity and Infrastructure Security Agency said. “Currently, we are not tracking any cyberattacks or incidents associated with Silicon Valley Bank.”
Cybersecurity professionals, as is their wont, are operating under the assumption that threat actors will turn this banking crisis into fuel for cyberattacks.
“Ultimately, because these crises can help to create a sense of urgency, this moment in time can be an effective tool for threat actors,” Arctic Wolf CISO Adam Marrè said via email.
Arctic Wolf hasn’t observed a notable volume of threats, but it has seen an uptick in newly registered domains related to SVB since federal regulators took over the bank’s deposits Friday. The cybersecurity firm expects some of those domains to serve as a hub for phishing attacks.
Professionals should scrutinize for spoofed email addresses and fake emails designed to facilitate an urgent response and be extra cautious across all exchanges, Marrè said.
Organizations should be especially vigilant with financial transactions and take additional precautions to avoid fraud via phishing or business email compromise.
Phishing was the top cybercrime type reported to the FBI’s Internet Crime Complaint Center in 2022, according to an annual report published Friday. Phishing accounted for nearly 40% of cybercrime incidents reported to the FBI last year.
Targeting vulnerable employees
Finance employees, who often have access to an organization’s banking information for billing and payments, are an optimal target for threat actors conducting phishing or business email compromise attacks.
“Gaining access to a finance department laptop could provide a windfall for cybercriminal," Eyal Gruner, CEO at Cynet, said via email. "With all the chaos and fear as a result of the SVB collapse, these employees are particularly vulnerable right now.”
“If the victim is a client of SVB and has funds tied up there, then they get additional accounts robbed, things can go from very bad to horrific very quickly,” Gruner said.
The opportunity for fraud is massive and not just limited to direct customers of SVB but rather anyone doing business with those organizations, according to Expel CISO Greg Notch.
“There will be lots of changes to payment information between businesses, creating counterparty risk,” Notch said via email.
Some altered transactions may go unnoticed as scrambling activity between counterparties increases over the coming weeks, Notch added.
The failure of two banks in as many days and a widespread concern that this banking crisis could spread is just the latest event of global consequence for threat actors to glom onto.
“Attackers are always looking for an angle. Leveraging a chaotic situation where people are confused, looking for information and not sure where to turn, they’re more apt to open random emails that may help them,” Gruner said.
For adversaries, “the more people are confused, scared and looking for answers the better,” he said.