Phishing messages sponsored by a growing network of rogue websites are targeting users of Monzo, the UK’s popular digital-only banking services. With over four million members, Monzo is a 100% online banking platform that was one of the first to disrupt the old financial management structure.
The mobile-only platform includes a feature-rich app, debit Mastercards, and a robust but not perfect fraud-detection system. According to a revelation by security expert William Thomas, a phishing campaign aimed at Monzo customers is underway to steal their accounts. The banking platform also used Twitter to advise users about the warning signs of fraud and what not to do if they get a questionable message.
Thomas reveals in a recent report that the phishing process starts with the receiver receiving an SMS text with Monzo as the sender’s name, requesting them to press the offered link to renew their session or verify their account. The users are sent to a phishing site that shows a false email login form before requesting details about their Monzo account, including their complete name, phone number, and Monzo PIN.
If these pieces of information get revealed, the threat actors will have all they need to take over the Monzo accounts of their victims. When the Monzo app is installed on a new device, such as the threat actor’s smartphone, the service sends a device verification link to the user’s email address for the initial login.
Because the threat actors now have access to the victims’ email accounts, they may use this “golden link” to validate their device, allowing them complete access to the Monzo account. Monzo’s emails demonstrate the importance of having access to this URL, which advises that the link should never be shared with anyone. If the email account is secured by 2FA, Thomas believes that the adversary may likely circumvent it using additional social engineering techniques or OTP stealing bots.
According to Thomas, the threat actors are employing the Cazanova Morphine kit to develop the Monzo phishing landing page, which includes the following domains:
- monzo-notice[.]com
- monzo-online-support[.]com
- monzo-check[.]com
- monzo-card-support[.]com
- monzo-replacement[.]com
- alert-monzo[.]com
Aside from these, the researcher discovered four domains on the same ASN that targeted consumers of Revolut, a famous online payment provider.
- revolut-cancel-support[.]com
- revolut-cancellation[.]com
- revolut-cancel-online[.]com
- login-revolut-resolve[.]com
The use of Chinese registrars and Russian IP addresses makes attribution difficult and complicates take-down procedures, allowing the phishing sites to remain up longer. Monzo employs built-in app notifications or the account portal on the official website to notify consumers about anything.
It does not send alerts through SMS, and the platform will never encourage users to click on links outside the app. If you clicked on these links and gave the actors any login information, change your passwords right away and enable MFA on both your email and Monzo accounts.
