Monzo customers in the UK are targeted with an SMS-based phishing campaign, aimed at stealing their bank accounts.
With a bunch of Monzo-themed websites, the threat actors are seen sending SMS to customers with malicious links in it. The campaign is made to compromise the bank-linked email account, and finally, the bank account even if itโs protected by 2FA.
Phishing Campaign Targeting Monzo Customers
Monzo is a UK-based digital bank launched in 2015, offering a full-on online banking service through its feature-rich app and virtual debit cards processed by MasterCard. With a fair base of over four million customers, threat actors targeting Monzoโs digital base should be expected.
And itโs happening, as spotted by William Thomas, a security researcher. As per him, an SMS-based phishing campaign is in the wild, aimed at stealing the Monzo bank accounts. This starts with an SMS purported to be coming from Monzo, asking to click on a link for verifying an account or reactivating the current one.
???? FRAUD ALERT: PHISHING SCAMS ????
Is that text from your bank, actually from your bank? ????
We'd never send you a link to verify your account via text, or ask you to log in to a website to confirm any account details.
Here are the red flags of a phishing scamโฆ
THREAD???? pic.twitter.com/e71TscTLMw
— Monzo (@monzo) February 16, 2022
And if the unsuspecting customer taps on it, heโll be redirected to a phishing page thatโs similar to Monzoโs login page, and asks for credentials to log in. These include the email ID, password, and PIN for the Monzo account. These can be saved by the threat actor to steal funds later.
Some of the phishing pages noted in this campaign are;
- monzo-notice[.]com
- monzo-online-support[.]com
- monzo-check[.]com
- monzo-card-support[.]com
- monzo-replacement[.]com
- alert-monzo[.]com
The researcher also said that having a 2FA security layer too canโt help, as the threat actors may employ OTP stealing bots to steal them too. After analysis, the researcher said that finding the threat actor could be hard, as the IP addresses of websites are based in Russia, but the domain registrars are from China.
Monzo acknowledged this campaign and advised users not to click on any links outside the app. Also, the bank doesnโt send any notifications through SMS, but only through the app.