|
| |
| |
| |
| Ireland
Netherlands
Finland
Austria
Germany
France
Belgium
Greece
Luxembourg
Italy |
| |
| |
| |
Type of information Stolen | |
Overview
In a significant escalation of cybercrime, a sophisticated phishing kit named V3B has emerged, targeting banking customers across the European Union (EU). Uncovered by Resecurity, this phishing kit represents a formidable threat to financial institutions and their clients. Designed to intercept and exploit sensitive information, including login credentials and one-time passwords (OTPs), V3B employs advanced social engineering tactics to deceive victims into disclosing their personal data.
Launched in March 2023 by the threat actor known as “Vssrtje,” the V3B phishing kit has swiftly gained traction within the cybercriminal community. It is distributed through a Phishing-as-a-Service (PhaaS) model, making it accessible to a wide range of fraudsters. The kit has been prominently featured in dark web forums and Telegram channels, where it has garnered a substantial following. With over 1,255 members in its Telegram channel, the scale of the operation reflects a serious and organized attempt to undermine the security of EU financial institutions.
The V3B kit’s sophistication lies in its multi-faceted approach to phishing. It includes encrypted code to evade detection, customizable templates for a variety of European banks, and advanced features such as QR code and PhotoTAN support. These capabilities enable cybercriminals to bypass traditional security measures and conduct real-time interactions with victims, increasing the likelihood of successful fraud. The kit’s integration with a secondary component, uPanel, further enhances its effectiveness by allowing fraudsters to interact with victims and collect OTP codes in real-time.
Targets
Individuals
How they operate
At its core, the V3B phishing kit is engineered to deceive users into providing confidential banking information, such as login credentials and one-time passwords (OTPs). The kit is distributed through dark web forums and Telegram channels, where it has established a substantial user base. The malware’s delivery mechanism relies heavily on social engineering techniques, employing meticulously crafted phishing emails and fake websites that mirror legitimate banking interfaces. Victims are lured into entering their data, which is then intercepted by the kit’s sophisticated credential capture system.
The operational architecture of V3B is built on two primary components: the phishing kit itself and the administrative panel known as uPanel. The phishing kit features encrypted code, obfuscated using JavaScript and other techniques to evade detection by anti-phishing systems and security tools. This obfuscation not only conceals the kit’s functionalities but also protects its source code from analysis and signature-based detection. The kit supports a wide array of financial institutions across Europe, with customizable templates that replicate the authentication and verification processes of various banks.
One of the standout features of V3B is its advanced support for multiple authentication methods. The kit includes modules for QR code phishing, allowing attackers to exploit services that use QR codes for user authentication. Additionally, it supports PhotoTAN and Smart ID, reflecting a keen awareness of evolving 2FA technologies. The phishing kit’s uPanel component enables real-time interaction with victims, allowing fraudsters to initiate OTP and token requests and manipulate victim responses. This interactive capability significantly increases the likelihood of successful data capture and fraudulent transactions.
The exfiltration of stolen data is executed through secure communication channels, with Telegram API being a primary conduit for relaying intercepted information back to the attackers. The V3B kit also incorporates advanced anti-bot measures to prevent detection by automated security systems, ensuring that phishing operations remain stealthy and effective. The kit’s modular design, including the ability to support over 54 financial institutions and various authentication methods, underscores its adaptability and the persistent threat it poses to financial security.
MITRE Tactics and Techniques
Initial Access
Phishing (T1566): V3B is a phishing kit designed to deceive users into revealing sensitive information, such as credentials and OTP codes. It uses social engineering tactics to lure victims into entering their data on fake banking sites.
Credential Access
Credential Dumping (T1003): The kit collects login credentials and OTP codes entered by victims. It may also capture session tokens or other authentication details.
Input Capture (T1056): The phishing kit’s interface captures inputs directly from users, including passwords and OTPs.
Collection
Data from Input Capture (T1056.001): V3B captures and transmits sensitive data entered by victims, such as login credentials and OTP codes, to the attackers.
Command and Control
Application Layer Protocol (T1071): The kit uses Telegram and other communication channels to relay stolen data back to the attackers. This involves using standard protocols to send data over the network.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): The kit exfiltrates captured data via its communication channels, which include Telegram and other dark web platforms.
Defense Evasion
Obfuscated Files or Information (T1027): V3B employs obfuscated code to avoid detection by anti-phishing systems and security tools. It uses JavaScript obfuscation and other techniques to hide its malicious functions.
Impact
Data Manipulation (T1565): The phishing kit can potentially manipulate financial data by facilitating unauthorized transactions once credentials are compromised.
References
