This dangerous new phishing kit is hitting victims across Europe

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Cybersecurity researchers from Resecurity have spotted a new phishing kit which is quickly gaining serious traction among cybercriminals. 

V3B costs between $130 and $450 per month, depending on the features pack that the buyer acquires. with the developers advertising it via Telegram, in a group which quickly grew to more than 1,250 members.

A phishing kit is a collection of software tools and resources that cybercriminals use to launch phishing attacks. These kits simplify the process of creating and managing phishing campaigns, making it easier for attackers to deceive users into providing sensitive information. Usually, phishing includes an email that forces the victim into a hasty reaction, and a landing page (usually a fake login page from a known service such as Office 365 or Google) where the sensitive login credentials are harvested.

Grabbing one-time passwords

V3B creates professionally-designed templates that can mimic many well-known websites and services. It uses heavily obfuscated JavaScript code over a custom content management system (CMS), successfully evading detection from many anti-phishing and search engine bots. The landing pages come in different languages, including Suomi (Finnish), French, Italian, Polish, and German.

Its users are currently impersonating 54 major financial institutions in Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy, it was said. However, most financial institutions these days require one-time passwords, or multi-factor authentication, as a second layer of security.

V3B can successfully bypass this as well, as it comes with an admin panel (uPanel) that allows the scammers to talk to their victims via a chat interface. That way, they can trick the victims into sharing the codes, and apparently, the ruse works quite well.

Finally, the kit is designed to work on both mobile and desktop platforms.

"Technologies used for customer authentication by banks may vary," the researchers said. “However, the fact that fraudsters have started to implement support of alternative OTP/TAN validation mechanisms, rather than relying solely on traditional SMS-based methods, may confirm the challenges that fraud prevention teams will face in combating account takeover for both private and corporate customers."

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.