Monzo’s Phishing Attack – You Click, They Smish

Phishing attacks are on the rise, and victims are falling for such tricks as they’re backed up by malicious websites that seem to be very legitimate. A while ago, the Lazarus Group impersonated none other than Lockheed Martin. Now, another phishing campaign is targeting millions of users in the UK through fake Monzo notification messages.

Monzo Phishing Attack

Monzo is probably the UK’s most popular digital-only banking platform. It has over 4 million users, which indicates the impact of such an attack.

The service is only available on mobile and it’s definitely rivaling completely traditional financing. The app is pretty useful and well-designed, but apparently, its fraud-detection system isn’t. Why is that? Find out everything about this Monzo phishing scam below.

The Monzo Phishing Attack – One Click, Instant Infiltration

Monzo has everything a user needs in terms of features. However, since the app operates solely on banking practices, it makes it a very big target for threat actors.

Just like every phishing campaign, the process begins with the user receiving an SMS text showing Monzo as the sender’s name.

Within the message, they get prompted to click on a link for various reasons. It might state that the session has expired, the credentials need updates, or some sort of verification is needed.

The images below show examples of what this phishing campaign is sending to victims:

Smishing Campaign Monzo

As you can see, the attacks have no shortage of Smishing messages to send. They can bombard over 4 million of Monzo’s customers with ease.

Each message has a link and when the victims click it, they’re redirected to fake (malicious) websites that resemble Monzo. Once there, the fake website (login page) asks for different kinds of data.

It displays a fake email login form that prompts users to submit information related to their Monzo account. That includes their full name, phone number, and the Monzo PIN.

Phishing Page

If the user submits the information, the malicious “Magic” starts occurring in the background. As a result, the attackers will gain full access to the victim’s account.

Anyone can obtain the Monzo app from their native App Store. If the attackers downloaded it on their phone, the client will ask them to verify the login through a verification link (Sent to the user’s email).

And since they have full access to that, verifying their device is an easy task. While enabling 2FA might save the victims, in some cases, it’s rendered useless.

According to security researcher William Thomas, the attackers can bypass 2FA with additional social engineering steps or by employing OTP stealing bots.

Monzo Addresses the Situation

Thomas states that threat actors are using the Cazanova Morphine kit to create the Monzo phishing landing page. Moreover, he says that the attackers are mixing Chinese registrars and Russian IP addresses.

As a result, this process makes attribution hard and complicates take-down actions. In other words, these phishing sites have a longer time to target more and more users.

Monzo didn’t just sit around and watch its customers fall victims to such attacks. In fact, it went to Twitter to address the issue.

Whenever Monzo sends its customers emails, it clearly warns them that they should never share the link with anyone. Aside from that, the Tweet says that Monzo doesn’t send text messages, which should be a clear indication of fraud.

Monzo Phishing Attack – You’ve Been Smished

Smishing attacks are the worst and we always advise our readers not to click on any links they receive via SMS. Instead, they can visit the official website manually.

A couple of more minutes can save you: Don’t follow links. Monzo clearly states that if it wants to inform you about anything, it’ll do so through built-in app notifications or the account portal on the official website.

Any other way would definitely mean that threat actors are targeting you. If you happen to be one of those who clicked on the links, it’s highly advised you reset everything related to your account. Stay safe

Add a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

as-seen-on