Monzo customers in the UK are targeted with an SMS-based phishing campaign, aimed at stealing their bank accounts.
With a bunch of Monzo-themed websites, the threat actors are seen sending SMS to customers with malicious links in it. The campaign is made to compromise the bank-linked email account, and finally, the bank account even if it’s protected by 2FA.
Phishing Campaign Targeting Monzo Customers
Monzo is a UK-based digital bank launched in 2015, offering a full-on online banking service through its feature-rich app and virtual debit cards processed by MasterCard. With a fair base of over four million customers, threat actors targeting Monzo’s digital base should be expected.
And it’s happening, as spotted by William Thomas, a security researcher. As per him, an SMS-based phishing campaign is in the wild, aimed at stealing the Monzo bank accounts. This starts with an SMS purported to be coming from Monzo, asking to click on a link for verifying an account or reactivating the current one.
???? FRAUD ALERT: PHISHING SCAMS ????
Is that text from your bank, actually from your bank? ????
We'd never send you a link to verify your account via text, or ask you to log in to a website to confirm any account details.
Here are the red flags of a phishing scam…
THREAD???? pic.twitter.com/e71TscTLMw
— Monzo (@monzo) February 16, 2022
And if the unsuspecting customer taps on it, he’ll be redirected to a phishing page that’s similar to Monzo’s login page, and asks for credentials to log in. These include the email ID, password, and PIN for the Monzo account. These can be saved by the threat actor to steal funds later.
Some of the phishing pages noted in this campaign are;
- monzo-notice[.]com
- monzo-online-support[.]com
- monzo-check[.]com
- monzo-card-support[.]com
- monzo-replacement[.]com
- alert-monzo[.]com
The researcher also said that having a 2FA security layer too can’t help, as the threat actors may employ OTP stealing bots to steal them too. After analysis, the researcher said that finding the threat actor could be hard, as the IP addresses of websites are based in Russia, but the domain registrars are from China.
Monzo acknowledged this campaign and advised users not to click on any links outside the app. Also, the bank doesn’t send any notifications through SMS, but only through the app.
