Keypoints
- CRIL detected multiple suspicious domains emerging after SVB’s collapse, indicating attacker activity tied to the event.
- Crypto phishing schemes impersonate legitimate entities (e.g., Circle) and SVB-related services to lure victims with fake USDC rewards.
- Phishing sites instruct users to scan a QR code to claim promised USDC, which can compromise victims’ crypto wallets when scanned.
- Examples of phishing domains include svb-usdc[.]com, svb-usdc[.]net, circle-reserves[.]com, redeemed-circle[.]com, circleusdcoin[.]com, circle-mintusdc[.]com, and svb-circle[.]com among others.
- Anonymous investment groups reportedly approached affected organizations with funding offers, potentially gathering contact details to sell to third-party lenders or charge exorbitant interest.
- Recommended defenses emphasize standard cybersecurity best practices: avoid unknown downloads, verify links, educate employees, monitor network beacons, and enable DLP.
MITRE Techniques
- [T1566] Phishing – Crypto phishing sites lure victims with bogus USDC rewards and prompt wallet interaction via a QR code; “The victim is instructed to scan this QR code using any cryptocurrency wallet, such as Trust, Metamask, or Exodus. However, scanning the code will result in the compromise of the user’s wallet account.”
Indicators of Compromise
- [Domain] Phishing domains – svbcollapse[.]com, svbclaim[.]com, svbdebt[.]com, svbclaims[.]net, login-svb[.]com, svbbailout[.]com, svb-usdc[.]com, svb-usdc[.]net, svbi[.]io, banksvb[.]com, svbank[.]com, svblogin[.]com, redeemed-circle[.]com, circle-reserves[.]com, circleusdcoin[.]com, circle-mintusdc[.]com, svb-circle[.]com, circle.web3claimer[.]net, usd-circle[.]com]
Read more: https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/