Phishing Attack on Mobile Banking

There is no doubt that mobile banking has taken the world by storm. Another growth industry is digital-only banks, especially in the UK. As of January 2022, over a quarter (27%) of British adults have opened an account with a digital-only bank, equating to 14 million people. This has created a new pool of targets for phishing threat actors to create new campaigns for fraud. This blog will explore a recent and ongoing campaign targeting mobile users and digital-only banks. 

Monzo is a popular digital-only bank in the UK. For years, users are able to open an account without having to visit a branch just by walking through the steps in the mobile application. One of the key parts to creating a Monzo account is verifying your device. Monzo will send you a “golden link” which you use to login to for the first time (see Fig. 1). This is what the phishing threat actors are after.

Fig. 1 – Example “golden link” sent via Monzo to login to bank accounts

Fig. 2 – Example SMS phishing texts in replies to an alert sent out by Monzo on Twitter

I was recently sent an example of a Monzo phishing page to investigate. By walking through the steps I learned how the phishing page worked. It first takes your email, then collects your email account credentials, then asks for your Monzo PIN, followed by your name and phone number. These details are enough to compromise a users email account and Monzo account. Additional social engineering steps might be involved, but there are many one-time passcode (OTP) stealing bots and other guides on how to trick victims into giving up access to the attacker.

Fig. 3 – Monzo bank phishing page

Research into the domain itself via URLscan.io uncovered 33 other identical sites, dating back to 11 November 2021 (see Fig. 4). All 34 of the domains were hosted on the same three CIDRs in Russian IP space with NForce Entertainment (AS43350). Interestingly, the Monzo-themed domains also used two Guangdong-based Registrars (Eranet and NiceNic). Perhaps by using Russian IP addresses and Chinese registrars, these phishers are hoping to obscure attribution or the more likely event that they just want it to be as difficult as possible to submit a takedown request – thwarting attribution here seems to just be an added bonus.

Fig. 4 – Number of Monzo Phishing pages created (cumulative)

Analysis of the phishing kits deployed on these sites themselves revealed links to the Cazanova Morphine kit, detailed by the good people at WMC Global here. You don’t have to look too hard to find Cazanova’s fingerprints all over this kit (see Fig. 5).

Fig. 5 – Cazanova Morphine kit targeting Monzo bank customers

Digging some more into the ASN on URLscan.io uncovered some additional Revolut-themed phishing pages, again targeting mobile digital-only banking customers (see Fig. 6). Analysis of the domain registrar also revealed the use of NiceNic again, same as the Monzo phish and indicating it is likely the same phisher behind both campaigns.

Fig. 6 – Revolut-themed phishing page

Indicators of Compromise

  • monzo-card-alerts[.]com
  • monzo-support-online[.]com
  • monzo-check[.]com
  • monzo-card-support[.]com
  • monzo-review-account[.]com
  • monzo-cancel-online[.]com
  • monzo-support-review[.]com
  • monzo-cancel[.]com
  • monzo-cancel-card[.]com
  • alert-monzo[.]com
  • monzo-online-support[.]com
  • monzo-reviews[.]com
  • monzo-address-uk[.]com
  • monzo-alerts[.]com
  • monzo-card-review[.]com
  • monzo-cancellation[.]com
  • monzo-accounts[.]com
  • monzo-alert[.]com
  • monzo-account-review[.]com
  • monzo-card-cancellation[.]com
  • monzo-notice[.]com
  • monzo-cancel-order[.]com
  • monzo-review[.]com
  • monzo-replacements[.]com
  • monzo-replacement[.]com
  • monzo-order[.]com
  • monzo-plus[.]com
  • monzo-limited[.]com
  • monzo-dispatch[.]com
  • monzo-card-service[.]com
  • monzo-dispatched[.]com
  • monzo-card-cancel[.]com
  • monzo-order-replace[.]com
  • revolut-cancel-support[.]com
  • revolut-cancellation[.]com
  • revolut-cancel-online[.]com
  • login-revolut-resolve[.]com
  • 91.212.150.0/24
  • 93.157.62.0/24
  • 93.157.63.0/24