Hackers Attacking Banking Customers Using Phishing-As-A-Service V3B Toolkit

A cybercriminal group is selling and distributing a sophisticated phishing kit called “V3B” through Phishing-as-a-Service (PhaaS) and self-hosting methods, which targets EU banking customers and is designed to steal login credentials and one-time codes (OTPs) through social engineering tactics. 

Launched in March 2023 by “Vssrtje,”  the group has amassed a large Telegram channel with over 1,255 members, many of whom are skilled in various fraud techniques, focusing on European financial institutions and has resulted in millions of euros in losses as the criminals further employ money mules to process the stolen financial data. 

Telegram Channel

V3B utilizes customized templates designed to mimic legitimate online banking and e-commerce login and verification processes across various EU countries, including Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The kit offers advanced features like localization and Multi-Factor Authentication (MFA) support, potentially increasing phishing campaign success rates. 

List of uAdmin Pages available

The V3B + UPanel phishing kit is a credential-stealing scam service sold on the dark web for $130-$450/month in cryptocurrency and uses obfuscated JavaScript to mimic online banking logins from various countries and bypass detection by anti-phishing systems and search engines. 

The kit includes features like multi-language support, anti-bot measures, mobile/desktop interfaces, and live chat to trick victims into revealing one-time passwords (OTPs) or credit card details while the stolen data is sent to the attacker through the Telegram API.  

advanced anti-bot system

A new phishing kit, V3B, targets online banking users by employing real-time interaction and QR code manipulation, which alerts attackers when a victim enters the phishing page, allowing them to dynamically request various credentials like SMS OTP, credit card details, or even a QR code. 

According to Resecurity, many financial services use a legitimate login method, which this QR code functionality exploits, and if the victim scans while logged in, the attacker can steal their session and gain unauthorized access.  

V3B kit actors approach

Fraudsters are developing new methods to bypass strong customer authentication (SCA) used in online banking, as a recent banking trojan kit includes functionalities to request PhotoTAN codes, a popular mobile banking authentication method in Germany and Switzerland that leverages a separate device to generate one-time passwords (OTPs) from special images. 

The kit supports Smart ID, another SCA method used in European and Baltic banking systems, suggesting that fraudsters are keeping pace with the adoption of new authentication technologies and actively developing methods to exploit them, which highlights the ongoing challenges faced by fraud prevention teams in securing customer accounts.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Sneka

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

10 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

10 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

13 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

16 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

17 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago