Users of Monzo, one of the UK’s most popular digital-only banking platforms, are being targeted with phishing messages supported by a growing network of malicious websites.
Monzo is a 100% online banking platform with over four million customers and among the first to challenge the traditional financial management system.
The mobile-only platform offers a feature-rich app, Mastercard debit cards, and a comprehensive but not entirely flawless fraud detection system.
According to a report by security researcher William Thomas, an ongoing phishing campaign is targeting Monzo users and attempting to steal their accounts.
The banking platform has also posted on Twitter to warn customers about signs of fraud and what not to do when receiving a message that looks suspicious.
FRAUD ALERT: Phishing Scams
Is this text from your bank, in fact from your bank?
We will never text you a link to verify your account, or ask you to log into a website to confirm your account details.
Here are the red flags of a phishing scam…
—Monzo (@monzo) February 16, 2022
The Phishing Process
In a new report, Thomas explains that the phishing process begins with the arrival of a text message indicating Monzo as the sender’s name, asking the recipient to press the provided link to reactivate their session or verify their account.
Users are redirected to a phishing site that displays a fake email login form and then asks for their Monzo account information, including full name, phone number, and Monzo PIN.
Provided these details are provided, threat actors now have everything they need to begin taking control of victims’ Monzo accounts.
When installing the Monzo app on a new device, such as the threat actor’s smartphone, the service sends a device verification link for the first login to the threat actor’s email address. ‘user.
As threat actors now have access to victims’ email accounts, they can click on this “golden link” and verify their device, giving full access to the Monzo account.
The seriousness of accessing this link is illustrated in emails sent by Monzo, which warn that the link should never be shared with others.
If the email account is 2FA-protected, Thomas thinks adversaries can likely overcome it with additional social engineering steps or by using OTP theft bots.
Setting up phishing sites
Thomas says threat actors are using the Cazanova Morphine Kit to create the Monzo phishing landing page, with some example domains listed below:
- monzo reviews[.]com
- monzo check[.]com
- monzo card support[.]com
In addition to the above, the researcher also noticed four domains on the same ASN, which targeted users of Revolut, a popular online payment service.
“Searching the domain itself via URLscan.io uncovered 33 other identical sites, dating back to November 11, 2021,” Thomas details in his blog post.
“All 34 domains were hosted on the same three CIDRs in the Russian IP space with NForce Entertainment (AS43350). Interestingly, the Monzo-themed domains also used two Guangdong-based registrars (Eranet and NiceNic) .”
Mixing Chinese registrars and Russian IP addresses makes assignment difficult and complicates takedown actions, prolonging the availability of phishing sites.
Don’t press any links
When Monzo wants to notify users about anything, it uses in-app notifications or the account portal on the official website.
Monzo does not use SMS to send notifications, and the platform would never prompt users to follow links outside of the app.
If you clicked on these links and provided actor login information, immediately reset your account passwords and enable MFA on your email and Monzo accounts.