Analysis Summary

The V3B phishing kit, launched in March 2023 by the cybercriminal group "Vssrtje", is a sophisticated tool targeting EU banking customers to steal login credentials and one-time codes (OTPs) through advanced social engineering tactics.

Distributed through Phishing-as-a-Service (PhaaS) and self-hosting methods, V3B has led to significant financial losses amounting to millions of euros, by employing money mules to process stolen data. The group's growing Telegram channel with over 1,255 members skilled in various fraud techniques focuses primarily on European financial institutions.

V3B employs customized templates that mimic legitimate online banking and e-commerce login processes across several EU countries including Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy. These templates are designed to deceive users into entering their credentials, which are then sent to the attackers via the Telegram API. Advanced features like localization, Multi-Factor Authentication (MFA) support, and anti-bot measures enhance the kit's effectiveness potentially increasing the success rates of phishing campaigns.

The V3B + UPanel phishing kit available on the dark web for $130-$450 per month in cryptocurrency, uses obfuscated JavaScript to replicate online banking logins and evade anti-phishing systems. It offers multi-language support, mobile and desktop interfaces, and live chat functionality to trick victims into divulging OTPs and credit card details. The kit also includes an advanced anti-bot system and real-time interaction capabilities alerting attackers when a victim enters the phishing page and allowing dynamic requests for credentials including SMS OTPs, credit card information, and QR codes.

According to the researchers, the V3B kit exploits legitimate QR code login methods used by financial services allowing attackers to steal sessions if victims scan the code while logged in. It supports advanced authentication methods like PhotoTAN codes and Smart ID which are used in German, Switzerland, and Baltic banking systems. This indicates that fraudsters are continuously developing methods to bypass strong customer authentication (SCA) technologies presenting ongoing challenges for fraud prevention teams in securing customer accounts.

Impact

• Credential Theft
• Exposure of Sensitive Data
• Unauthorized Access
• Financial Loss

Indicators of Compromise

Domain Name

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.