Ramp Security Advisory: Ongoing Phishing Campaign Targeting Ramp Customers

Trust Center

Start your security review
View & download sensitive information
Search items
ControlK

Ramp exists to save you time and to save you money. We understand the importance of the trust you place in us by sharing your data. Upholding and nurturing that trust is ingrained in our company culture, guiding our internal operations and product development.

Ramp has garnered trust from customers operating in tightly regulated industries, including defense, financial services, and medical manufacturing. Our team is committed to safeguarding your data against potential threats, and we’re excited to provide insight into our approach on this page.

Accessing the documentation on our trust center: Please request access via the banner above. You will be sent an invite via email, and will be prompted to sign an NDA once in the portal. Once the NDA is signed, you will have access to view and download the resources in our Trust Center.

Documents

Featured Documents

REPORTSSOC 2 Type 2 Report
Knowledge Base (FAQ)
    How does Ramp use AI?
    What are the locations of your primary and backup data centers or cloud service provider geographic regions?
    Does your application provide an API? Provide a link to documentation, if applicable.
    Cyber breach insurance coverage is in place for business interruptions and/or general services interruptions, or any cybersecurity-related losses.
    How can a user submit a Data Subject Rights access request?
View more
Trust Center Updates

Ramp Security Advisory: Ongoing Phishing Campaign Targeting Ramp Customers

General
Copy link

A new list of phishing domains have been identified and are being remediated.

  • app[.]mob-ramp[.]com
  • mob-ramp[.]com
  • app[.]r-ramp[.]top
  • r-ramp[.]com
  • whitelink[.]business

IP address related to hosted phishing site:

  • 207[.]32[.]217[.]14

Links related to the redirect chain:

  • my[.]link-me[.]su
  • u21060774[.]ct[.]sendgrid[.]net (found in body of phishing email)
Published at N/A

A new campaign has been identified details are below:

  • Subject: 🔒 Important: New Security Enhancement for Your Account
  • Sender: info@frontlinetradinginc[.]com
  • Links in the phishing email: shor[.]tf/saferamp

Known redirect chain:

  • shor[.]tf/saferamp
  • my[.]safe-link[.]su
  • app[.]ramp[.]info

Businesses are advised to identify these emails in user inboxes and remove as soon as possible. Mitigating actions of the identified domains are in progress.

Published at N/A

New hosts/domains have been identified and are in the process of being mitigated.

  • protect-ramp[.]com
  • 87[.]120[.]116[.]47
Published at N/A

New phishing domains identified:

  • app[.]upt-ramp[.]com
  • se-ramp[.]com
  • app[.]safe-ramp[.]com

Businesses are advised to blocked the above domains.

Published at N/A

A new campaign was launched today. Details that deviate from the original campaign are below.

Subject line: "🔒 Important: New Security Enhancement for Your Account" Links: bit[.]ly/sec-ram

Published at N/A

Summary

We are sending this security advisory to inform you of an ongoing phishing campaign targeting Ramp customers. This campaign seeks to trick users into providing their Ramp credentials and MFA code by sending an email pretending to request acceptance of a new Terms of Service and Privacy Policy, with a link to a Ramp sign-in phishing page. Ramp businesses with password authentication enabled for users are most vulnerable to this phishing campaign.


About the email

  • Subject line: “🔄 December Updates: Important Ramp Changes & Next Steps”
  • Links: Two different bit.ly links have been observed in samples of the email that have been shared with Ramp: bit[.]ly/rampcompany, bit[.]ly/ramptos
  • Sender: Display name being used is “The Ramp Team”. Known Sender emails: admin[at]digitiz[.]io, comercial[at]edolmed[.]com[.]br

Update 12/09/24

  • Subject line: "🔒 Important: New Security Enhancement for Your Account"
  • Links: bit[.]ly/sec-ram

Indicators of Compromise

Phishing Domains: Ramp uses a phishing detection and mitigation vendor to identify and takedown domains used in phishing campaigns targeting Ramp users. Below are the domains that have been identified.

  • acc-ramp[.]com
  • terms-ramp[.]com
  • app[.]terms-ramp[.]com
  • app[.]tos-ramp[.]com
  • app[.]security-ramp[.]com
  • app[.]ramp[.]company
  • seteclnc[.]com
  • sec-ramp[.]com
  • app[.]us-ramp[.]com
  • app[.]update-ramp[.]com
  • 93[.]123[.]39[.]38
  • p-ramp[.]com

What you can do

  • Use the information provided above to update email security rulesets to detect and mitigate the risk of Ramp account compromise.
  • If applicable, check proxy, VPN, or web traffic logs for evidence of users visiting the listed phishing domains.
  • If you believe you or a user at your business has been compromised, review transactions for suspicious transactions and file a dispute if necessary.
  • Review invited users on Ramp for unknown users.

We are committed to ensuring the security of our customers and partners. If you have any questions or need further assistance, please reach out to us at security@ramp.com. If you believe fraudulent transactions have occurred, please follow Ramp’s dispute process. We will provided updates to this advisory as they become available.

Published at N/A*

ASAPP Subprocessor Update

Subprocessors
Copy link

As we continue to build and improve our platform, Ramp will be leveraging ASAPP to enhance customer support functions.

This serves as notification that ASAPP will be added as a new Ramp subprocessor.

Name: ASAPP

Location: United States

Website: https://www.asapp.com/

Purpose: Leveraged in providing AI powered features during the customer support process.

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A

Groq Subprocessor Update

Subprocessors
Copy link

As we continue to build and improve our platform, Ramp will be leveraging Groq to build AI powered product features.

This serves as notification that Groq will be added as a new Ramp subprocessor.

Name: Groq

Location: United States

Website: groq.com

Purpose: Leveraged in providing AI powered features to customers.

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A

Ramp is Unaffected by the 7/19/24 Crowdstrike Incident

Incidents
Copy link

Ramp Security was made aware of a Crowdstrike incident on July 19, 2024 and confirmed that Ramp services and infrastructure are not impacted by this incident.

Published at N/A

ClickHouse Subprocessor Update

Subprocessors
Copy link

As we continue to build and improve our platform, Ramp will be leveraging ClickHouse as a data warehouse to host Ramp data and support the Ramp application.

This serves as notification that ClickHouse will be added as a Ramp subprocessor.

Name: ClickHouse

Location: United States

Website: clickhouse.com

Purpose: Data Warehouse

DPA Signed: Yes

This subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Report Issue
Powered bySafeBase Logo