Hackers Attacking Banking Customers Using Phishing-As-A-Service V3B Toolkit

A cybercriminal group is selling and distributing a sophisticated phishing kit called “V3B” through Phishing-as-a-Service (PhaaS) and self-hosting methods, which targets EU banking customers and is designed to steal login credentials and one-time codes (OTPs) through social engineering tactics. 

Launched in March 2023 by “Vssrtje,”  the group has amassed a large Telegram channel with over 1,255 members, many of whom are skilled in various fraud techniques, focusing on European financial institutions and has resulted in millions of euros in losses as the criminals further employ money mules to process the stolen financial data. 

V3B utilizes customized templates designed to mimic legitimate online banking and e-commerce login and verification processes across various EU countries, including Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The kit offers advanced features like localization and Multi-Factor Authentication (MFA) support, potentially increasing phishing campaign success rates. 

The V3B + UPanel phishing kit is a credential-stealing scam service sold on the dark web for $130-$450/month in cryptocurrency and uses obfuscated JavaScript to mimic online banking logins from various countries and bypass detection by anti-phishing systems and search engines. 

The kit includes features like multi-language support, anti-bot measures, mobile/desktop interfaces, and live chat to trick victims into revealing one-time passwords (OTPs) or credit card details while the stolen data is sent to the attacker through the Telegram API.  

A new phishing kit, V3B, targets online banking users by employing real-time interaction and QR code manipulation, which alerts attackers when a victim enters the phishing page, allowing them to dynamically request various credentials like SMS OTP, credit card details, or even a QR code. 

According to Resecurity, many financial services use a legitimate login method, which this QR code functionality exploits, and if the victim scans while logged in, the attacker can steal their session and gain unauthorized access.  

Fraudsters are developing new methods to bypass strong customer authentication (SCA) used in online banking, as a recent banking trojan kit includes functionalities to request PhotoTAN codes, a popular mobile banking authentication method in Germany and Switzerland that leverages a separate device to generate one-time passwords (OTPs) from special images. 

The kit supports Smart ID, another SCA method used in European and Baltic banking systems, suggesting that fraudsters are keeping pace with the adoption of new authentication technologies and actively developing methods to exploit them, which highlights the ongoing challenges faced by fraud prevention teams in securing customer accounts.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo