Phishing Kits 101 & V3B Phishing Kit

Phishing kits are "as-a-service" tools that help threat actors rapidly deploy phishing pages and campaigns. This blog examines key components, how they work, helpful resources, and a dive into the V3B phishing kit.

Phishing Kits 101 & V3B Phishing Kit

This blog introduces what phishing kits are, how they work, and helpful tools for detection and research. In addition, we dive into the V3B phishing kit, an active kit promoted and used by threat actors today.

What are Phishing Kits?

Phishing kits are tools that help threat actors rapidly deploy phishing pages. These kits reduce effort required to create pages as they use prebuilt templates in which elements can be quickly swapped to target different brands. As phishing websites are often quickly added to blocklists and have abuse reports filed against them, being able to quickly generate similar pages is advantageous to threat actors. 

Phishing kits are often zipped archives provided in an “As-A-Service” model where the developer of the kit shares access to users. The users deploy the archives and use it to conduct phishing attacks. Phishing kits are often used to target large brands and financial institutions. 

Figure 1: Examples of phishing kit websites

What are the Components of a Phishing Kit?

Phishing kits typically consist of resource files that are copied from targeted websites. These websites include favicons, images and content displayed on the victim’s website. The goal of copying these resources is to create a lookalike copy that can be delivered to unsuspected users. In addition to content taken from the targeted websites, threat actors will embed scripts in the pages to record stolen information such as user credentials and send it back to adversary controlled infrastructure. 

Depending on the sophistication of the phishing kit, its content can range from simple HTML pages and scripts to send victim information to content (images, forms, and text) copied from targeted sites, to additional checks that make automated detection of scripts more difficult. 

Figure 2: Content of a Phishing Kit Archive (Kaspersky)

Threat actors can use geolocation and other methods to tailor the content of the page to specific users. By tailoring content based on the geolocation of a user’s IP address or user-agent, threat actors may increase the likelihood of a user interacting with the site. An example of content localization is when content is displayed in a different language based on the geolocation of the user’s IP address. 

Figure 3: Content of a php file that adjusts content based on countries (Kaspersky)
💡
In Figure 3 above, if the script details the visitor’s location as Germany, the content of the form will be adjusted to reflect words in German. This is done to mimic the German storefront of Amazon. 

Another way phishing kits are used to target a large number of users is by adjusting the content displayed based on pages based on the content of the URL. This is a popular technique used to target corporate users. Threat actors will send a phishing email to users that contain either the corporate domain or their email address. When a user interacts with this URL, a script on the web page parses the URL for domains or email addresses and then displays content associated with that domain.

Figure 4: An example of dynamic content on a phishing page where the URL contains the domain Amazon allowing the web page to display Amazon related content.

Spotlight: V3B Phishing Kit

Figure 5: Pulsedive’s threat card for V3B.

V3B is a phishing kit that is being actively promoted by threat actors on Telegram. Promoters claim that it can be used to target over 54 financial organizations in Europe. Access to the platform is sold for $130-$450 a month based on the capabilities selected. V3B includes features such as live chat, obfuscation and two factor authentication support. The phishing kit also supports pages in multiple languages such as French, German and Finnish (Cyber and Fraud Centre Scotland). The panels are created in uAdmin. 

Figure 6: Telegram channel advertising V3B access (Resecurity).

Once a threat actor has deployed the phishing kit on their infrastructure, phishing emails or SMS messages are sent to victims in an attempt to get them to access the phishing pages. To collect credentials, the victims enter their details into a fake login form. The pages also support live chat features which threat actors can leverage to talk directly to potential victims. This feature allows threat actors to convince victims to enter their credentials through the use of social engineering. 

Targeted Organizations

Advertisements of the phishing kit claim to support over 54 financial organizations with customized pages and localized templates. Localized templates are used to present a more convincing lure as it presents pages in multiple languages that are used by the legitimate website.

The table below shows some of the organizations that were targeted by V3B. More examples of targeted organizations are shown in Figure 7. 

Country

Financial Institution

Netherlands

ABN

Triodos

Rabo

German

Sparkasse

Santander

Targobank

France

BNP Paribas

Societe Generales

Credit Agricole

Spain

BBVA

Caixa

Bankia

Poland

iPKO

Finland

Saasto

Nordea

Opfi

Austria

Bawag

Volksbank

Easybank

Greece

Alpha

Winbank

Eurobank

Italy

Banco BPM

Figure 7: Some of the financial institutions targeted using V3B (Resecurity).

Capabilities

One-time Password Request

As banks and other financial institutions start to increasingly support one-time password requests, V3B developers have included the ability to request tokens in their admin panel. This allows threat actors to collect OTPs that are received by the victims. 

Figure 8: V3B's uAdmin panel where threat actors can prompt users for a OTP (Resecurity).

PhotoTAN and Smart ID Support

💡
PhotoTAN is a popular authentication method that is used by several of the targeted German banks. Typically, an online banking UI generates and displays a photoTAN image on screen containing an encrypted message with the transaction details. The user scans the image with the banking app on a smartphone, which "generates" a transaction authorization number (TAN) when reading the image. The user then enters the TAN on the computer to authorize the transaction.

Resecurity researchers have also identified that V3B phishing kits have the ability to request a PhotoTAN. A transaction authentication number (TAN) is used by banking providers to authenticate transactions. Similar to the OTP, this is used as an additional factor of authentication during transactions. A PhotoTAN is similar to a QR code since it is an image that is generated on screen.

Figure 9: An example of a photoTAN code.

Conclusion

Phishing kits are a common tool used by financially motivated threat actors to target individual users. The ability to rapidly deploy phishing pages that can target multiple institutions at once allows actors to rapidly scale and tailor their campaigns to specific audiences. As phishing kits become more sophisticated, they are incorporating features that make them more difficult to detect, such as bot detection or IP location filters. These are used to ensure that the phishing page is only displayed to certain users. 

Recommendations

The best way to protect yourself from phishing scams is to adopt a trust but verify approach and spread user awareness. 

  • Never click on attachments or links from unexpected senders
  • Review content of SMS messages from those claiming to be financial institutions carefully
    • If the message requests you to contact your bank, validate that the number provided matches the bank’s actual number (check your bank card)
    • It is safer to directly contact the bank rather than interacting with the number or link provided in the message if you are unsure
  • Enforce and use multi-factor authentication of accounts where possible
    • Use unique or strong passwords for all accounts

Tools to Identify Phishing Kits

The following are some resources we came across while researching phishing kits. Some are examples of phishing kits, while others are tools that can be used to detect kits.

🛠️ Indicator of Kit

Indicator of Kit is an open-source detection language for phishing kits based on Sigma. The project contains YAML files for several different phishing kits along with links to examples in urlscan.io

Figure 10: Bank of America Phishing Kit Detection (IOK).
Figure 11: Example page detected by code in Figure 10 (urlscan).

🛠️ PhishingKit-Yara-Rules

This is a github repository containing Yara rules that match on the content of zip archives for different phishing kits.

Other github repositories include:

V3B Indicators of Compromise

The table below contains all V3B Phishing Kit network IoCs that have been identified, aggregated, and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat="V3B Phishing Kit" and is available for export in multiple formats (CSV, STIX 2.1, JSON).

V3B Phishing Kit IOCs

nl-bunq-bijwerkerking[.]com

verifieer-gegevens[.]com

abn-amro-gobal[.]com

accounxt[.]bitvaqvio[.]nl-csdki[.]com

icscards-nl[.]com

belastingdienst-schuld[.]nl

icscardsvoorschriften[.]nl

belastingoverzicht[.]info

bezoeknummer48912543221[.]info

kundenaktualisierungen[.]cc

black-loans7[.]shop

mijni-cs[.]bezoeknummer0734859938[.]info

bltvavo-bevestig[.]nt8zd3[.]ru

nl-appverifi[.]com

bunq-app-nl[.]net

hxxps[://]mijni-cs[.]bezoeknummer0734859938[.]info/sca/7a970cab144c3e89685550829fe62941/login

reaktivieren-icscard[.]nl

ics-cards[.]org

V3B MITRE ATT&CK TTPs

Technique

Tactic

Collection

GUI Input Capture

Command and Control

Bidirectional Communication

Protocol Impersonation

Credential Access

GUI Input Capture

Multi-Factor Authentication Request Generation

Steal Web Session Cookie

Unsecured Credentials

Defense Evasion

Debugger Evasion

Discovery

Debugger Evasion

Execution

User Execution

Exfiltration

Exfiltration Over C2 Channel (T1041)

Initial Access

Phishing (T1566)

References