An ongoing phishing attack has targeted one of the biggest digital banking platforms in the UK, Monzo, wherein a compromised website network facilitated the phishing campaign on the targeted banking platform.
Based on reports, the phishing campaign tried to steal the accounts of the bank’s platform users by initiating an SMS that impersonates a Monzo-generated text message. It will instruct the recipient to click on the given link to re-activate the fake expired session and verify the target’s account.
Then, the recipient will be redirected by the phishing message to a compromised site that shows a fake email login form that requests information about their Monzo account. The details asked by the phishing site include data such as login credentials, phone numbers, names, and PINs.
If the target provides these credentials, the attackers will take over the targeted account. Fortunately, the banking platform has already released an advisory that warns its clients against the signs of fraud.
Threat actors can misuse the stolen data from Monzo to control open accounts in many ways.
If the Monzo app is downloaded and installed on an attacker’s device, the service sends a device verification link for the initial login to the user’s email address. Since the threat actors have stolen the victim’s email accounts, they can verify their device and click on the sent link. This verification will allow them to gain full access to the victim’s bank account.
Furthermore, if a 2FA protects the email account, the attackers can bypass it with added social engineering methods or use OTP stealing bots.
The threat actors also utilise the Cazanova Morphine tool to develop a phoney Monzo page for the phishing pages.
Researchers said that many domains spoof the digital banking platform, such as monzo-online-support[.]com, monzo-check[.]com, and monzo-notice[.]com. These domains target users of the online payment service called Revolut.
Monzo users should stay vigilant regarding these phishing attempts. Experts said users should never forget that the legitimate platform of the bank does not utilise SMS for updates or notifications and should be cautious when receiving SMS from unknown sources.