Silicon Valley Bank: threat actors exploiting collapse to launch cyber attacks

The collapse of any substantial bank can have devastating consequences for its customers and the wider financial system as it presents a lucrative opportunity for cyber criminals to exploit the chaos and confusion amongst staff and customers for their own gain.

Cyber criminals try to take advantage of the panic to launch phishing attacks, social engineering attacks, and malware attacks to steal sensitive information and commit fraud. It is crucial for banks and financial institutions to educate their employees and customers about these risks and take necessary measures to prevent such attacks.

In this article, we will explore how cyber criminals use bank collapses, like the recent Silicon Valley Bank bust, to steal money and data and whether it will wake up security leaders in the financial sector?

Why have we seen a rise in cyber attacks on banks?

The banking industry is a lucrative target for cyber criminals because of the wealth of valuable information and money held by financial institutions. In recent years, however, the number and sophistication of attacks has increased dramatically. Why?

According to a report by the Federal Reserve Bank of New York, there was a 159% increase in attempted cyber attacks on financial institutions between 2015 and 2019. The reasons behind a rise in cyber attacks against financial institutions can be attributed to a couple of things.

Firstly, the financial industry has become increasingly digitised, which expands the attack surface, multiplying the many avenues, devices, and cyber attacks a threat actor could utilise. Secondly, the number of cyber criminals with the skills and resources to carry out attacks has significantly increased due to off-the-shelf cyber crime products and even things like AI (Artificial Intelligence) language models making it easier to run phishing and ransomware attacks.

Furthermore, banks have also been slow to invest in cyber security, with many institutions relying on outdated systems and processes that are easy for attackers to exploit.

Bank collapse is the perfect storm for cyber criminals

When a bank collapses, it creates a perfect storm of vulnerability for cyber criminals. Customers are likely to be confused and anxious about the situation and can be more susceptible to phishing attacks and other scams that prey on anxiety and worry.

The bank's systems may also be disrupted or unavailable, making it harder for customers to detect fraudulent activity or fall for dodgy links in convincing emails and SMS texts.

In addition, banks that are in financial difficulty may be more likely to cut corners on cybersecurity to save costs, especially if they are fully focused on survival to the detriment of their present cyber security.

A brief history of cyber criminals taking advantage of financial collapse

While there have been several cyber attacks that have targeted banks or financial institutions, we will be focusing on occasions where cyber criminals have taken advantage of people during times when a bank has collapsed or faced financial difficulties.

1. Cyprus Bank Crisis (2013)

In March 2013, the country of Cyprus faced a severe banking crisis because of the Greek financial crisis in mainland Europe. As part of a bailout deal, the largest bank in Cyprus, the Bank of Cyprus, had to impose a one-time levy on uninsured deposits. This decision led to massive panic and uncertainty among depositors. Cyber criminals took advantage of this by launching several phishing attacks, social engineering attacks, and malware attacks targeting the bank's customers. According to a report by Kaspersky, there was a 30% increase in phishing attacks targeting Bank of Cyprus customers during this period. This included fraudulent text messages purporting to be from the Bank of Cyprus and emails from threat actors posing as the bank’s representatives. The bank's customers also reported several cases of fraudulent SMS messages and emails from cybercriminals posing as Bank of Cyprus representatives.

2. Central Bank of Bangladesh (2016)

One high-profile example of a cyber attack on a bank that was in the process of being wound down is the 2016 hack of the Central Bank of Bangladesh. Hackers stole $81 million from the bank's account at the Federal Reserve Bank of New York. Using phishing emails on employees, they infected the target network with malware and gained employee access to SWIFT (Society for Worldwide Interbank Financial Telecommunication). Through SWIFT, they sent more than 36 fraudulent transfer request messages to the Federal Reserve Bank of New York.

3. Banco Popular Spain (2017)

In June 2017, the European Central Bank (ECB) stated Banco Popular, the sixth-largest bank in Spain, was deteriorating in financial health. Following the announcement, several cyber criminals launched phishing attacks targeting the bank's customers, posing as the bank's representatives, and asking them to provide their login credentials or other sensitive information. According to a report by Kaspersky, there was a 50% increase in phishing attacks targeting Banco Popular customers during this period. The bank's customers also reported several cases of fraudulent phone calls and emails from cybercriminals posing as Banco Popular representatives.

4. Punjab and Maharashtra Co-operative Bank (PMC Bank) India (2019)

In September 2019, PMC Bank, collapsed due to massive fraud committed by its senior management. As a result, the bank's customers were unable to access their savings, and cyber criminals took advantage of this by launching several phishing attacks and vishing attacks (voice phishing) targeting the bank's customers. According to several reports by the Economic Times, there was a 75% increase in vishing attacks targeting PMC Bank customers during this period. The bank's customers also reported several cases of fraudulent SMS messages and emails from cybercriminals posing as PMC Bank representatives.

5. Wirecard AG Germany (2020)

In June 2020, Wirecard AG, a German payment processing company, filed for insolvency after inflating its assets and revenue for years. After the announcement, cyber criminals launched several phishing attacks targeting the company's customers and employees, posing as the company's representatives, and asking them to provide their login credentials or other sensitive information.

The failure of Silicon Valley Bank (SVB)

On March 10th, 2023, Silicon Valley Bank, the preferred banking partner for many global businesses and start-ups, collapsed because of a bank run on its deposits. According to The Information, SVB holds capital for over 1,000 firms in the venture capital and crypto investment space.

The bank’s failure was the second biggest in American history and the largest bank failure since the financial crisis of 2008. And, at the time of its collapse, SVB was the 16th largest bank in the United States. Naturally, this has invited many opportunistic threat actors looking to take advantage of the collapse. But how are they doing this?

1. Suspicious websites

According to Cyble Research and Intelligence Labs (CRIL), cited here in Cyber Security News, we have seen multiple suspicious websites surface, with obvious intentions to trick users into accessing a malicious website. Suspicious domains that we have seen include: svbcollapse[.]com, svbclaim[.]com, svbbailout[.]com, svblogin[.]com, and so many more!

ReliaQuest noted that, between March 6th and 12th 2023, a total of 95 new domains “likely impersonating SVB, none of which are registered to registrars previously used by SVB” had popped up. ReliaQuest also made clear that this is 11 times the average of spoof domains!

Using these legitimate-looking domains, scammers have been contacting both former/current SVB employees as well as customers anxious about the state of their finances. In most cases, the threat actor would offer a support package, loans, or even legal services to combat the ramifications of SVB’s collapse on the target.

2. Fake cryptocurrency exchange

A cunning new way threat actors are exploiting financial collapse is through a scam cryptocurrency exchange. A large part of SVB bank’s payback program, following the collapse, is paying out users in US dollars. Circle, a dollar to crypto exchange, announced that whilst SVB still possessed capital, it would resume its dollar to crypto exchange.

Unfortunately, threat actors saw this as an opportunity to prey on customers as many phishing websites posing as Circle were discovered. Using these websites, threat actors offered lenders a return of 65% to 85% if they exchanged their SVB accounts with them. Before it was too late, users would have their accounts and crypto wallets plundered.

3. Mimicking SVB competitors

After a bank or financial institution collapses, a common method threat actors use to attract unsuspecting targets is to impersonate competitors. In this instance, cyber criminals are pretending to be SVB competitors as they try to trick former SVB clients into transferring their finances and assets to another bank – all the while, unwittingly transferring assets to a threat actor director.

Ashley Allocca, Intelligence Analyst at Flashpoint, told Enterprise Management 360 that they have detected “domains mimicking Revolut, a British-Lithuanian financial services company.” The aim of these domains is to trick customers into exposing their banking details.

4. Business email compromise and thread hijacking

Whilst threat actors are using traditional phishing methods to compromise SVB business emails to then trick customers, we are also seeing instances of email threat hijacking. According to Esentire, threat actors are inserting themselves and malware into legitimate email threats by infecting the mailbox of a compromised host. By hijacking a legitimate email thread with malware, the threat actor is much less likely to arouse suspicion and the malware is less likely to be spotted.

5. Lack of two-factor authentication (2FA)

According to SilentPush, SVB did not and still does not enforce 2FA security measures! This means that both SVB and any account holders are instantly more vulnerable to fraud and breaches. The lack of 2FA means that if a threat actor obtains login/access details they do not have to worry about any additional security hurdles in their way. Whilst this is not a direct cyber attack from threat actors, the lack of 2FA makes it easier for cyber criminals.

How banks and customers can protect themselves

The rise of cyber attacks after SVB’s collapse highlights the urgent need for the financial sector to prioritise cyber security training and awareness programmes.

According to the Global Risks Report, 95% of all cybersecurity issues can be traced to human error! So, the best security technology in the world is at the whim of the employees using it.

Yes, banks must invest in robust, up-to-date systems and processes that can detect and respond to threats in real time … but you must support and supplement this with a strong and secure employee culture otherwise you will fall to phishing, ransomware, and social engineering attacks.

This includes regular security audits and employee refreshers, role-based eLearning, communications on emerging threats and, importantly, heavy repeated focus on common cyber threats such as phishing, ransomware, and malware.

If you would like more information about how The Security Company can help your financial organisation to deliver data protection and privacy training ... or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.