Cybersecurity researchers from Resecurity have spotted a new phishing kit which is quickly gaining serious traction among cybercriminals.
V3B costs between $130 and $450 per month, depending on the features pack that the buyer acquires. with the developers advertising it via Telegram, in a group which quickly grew to more than 1,250 members.
A phishing kit is a collection of software tools and resources that cybercriminals use to launch phishing attacks. These kits simplify the process of creating and managing phishing campaigns, making it easier for attackers to deceive users into providing sensitive information. Usually, phishing includes an email that forces the victim into a hasty reaction, and a landing page (usually a fake login page from a known service such as Office 365 or Google) where the sensitive login credentials are harvested.
Grabbing one-time passwords
V3B creates professionally-designed templates that can mimic many well-known websites and services. It uses heavily obfuscated JavaScript code over a custom content management system (CMS), successfully evading detection from many anti-phishing and search engine bots. The landing pages come in different languages, including Suomi (Finnish), French, Italian, Polish, and German.
Its users are currently impersonating 54 major financial institutions in Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy, it was said. However, most financial institutions these days require one-time passwords, or multi-factor authentication, as a second layer of security.
V3B can successfully bypass this as well, as it comes with an admin panel (uPanel) that allows the scammers to talk to their victims via a chat interface. That way, they can trick the victims into sharing the codes, and apparently, the ruse works quite well.
Finally, the kit is designed to work on both mobile and desktop platforms.
"Technologies used for customer authentication by banks may vary," the researchers said. “However, the fact that fraudsters have started to implement support of alternative OTP/TAN validation mechanisms, rather than relying solely on traditional SMS-based methods, may confirm the challenges that fraud prevention teams will face in combating account takeover for both private and corporate customers."
Via BleepingComputer
More from TechRadar Pro
- A new phishing kit is targeting Gmail and Microsoft email accounts — and it can even bypass 2FA
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
