Phishing Kits 101 & V3B Phishing Kit
This blog introduces what phishing kits are, how they work, and helpful tools for detection and research. In addition, we dive into the V3B phishing kit, an active kit promoted and used by threat actors today.
What are Phishing Kits?
Phishing kits are tools that help threat actors rapidly deploy phishing pages. These kits reduce effort required to create pages as they use prebuilt templates in which elements can be quickly swapped to target different brands. As phishing websites are often quickly added to blocklists and have abuse reports filed against them, being able to quickly generate similar pages is advantageous to threat actors.
Phishing kits are often zipped archives provided in an “As-A-Service” model where the developer of the kit shares access to users. The users deploy the archives and use it to conduct phishing attacks. Phishing kits are often used to target large brands and financial institutions.
What are the Components of a Phishing Kit?
Phishing kits typically consist of resource files that are copied from targeted websites. These websites include favicons, images and content displayed on the victim’s website. The goal of copying these resources is to create a lookalike copy that can be delivered to unsuspected users. In addition to content taken from the targeted websites, threat actors will embed scripts in the pages to record stolen information such as user credentials and send it back to adversary controlled infrastructure.
Depending on the sophistication of the phishing kit, its content can range from simple HTML pages and scripts to send victim information to content (images, forms, and text) copied from targeted sites, to additional checks that make automated detection of scripts more difficult.
Threat actors can use geolocation and other methods to tailor the content of the page to specific users. By tailoring content based on the geolocation of a user’s IP address or user-agent, threat actors may increase the likelihood of a user interacting with the site. An example of content localization is when content is displayed in a different language based on the geolocation of the user’s IP address.
Another way phishing kits are used to target a large number of users is by adjusting the content displayed based on pages based on the content of the URL. This is a popular technique used to target corporate users. Threat actors will send a phishing email to users that contain either the corporate domain or their email address. When a user interacts with this URL, a script on the web page parses the URL for domains or email addresses and then displays content associated with that domain.
Spotlight: V3B Phishing Kit
V3B is a phishing kit that is being actively promoted by threat actors on Telegram. Promoters claim that it can be used to target over 54 financial organizations in Europe. Access to the platform is sold for $130-$450 a month based on the capabilities selected. V3B includes features such as live chat, obfuscation and two factor authentication support. The phishing kit also supports pages in multiple languages such as French, German and Finnish (Cyber and Fraud Centre Scotland). The panels are created in uAdmin.
Once a threat actor has deployed the phishing kit on their infrastructure, phishing emails or SMS messages are sent to victims in an attempt to get them to access the phishing pages. To collect credentials, the victims enter their details into a fake login form. The pages also support live chat features which threat actors can leverage to talk directly to potential victims. This feature allows threat actors to convince victims to enter their credentials through the use of social engineering.
Targeted Organizations
Advertisements of the phishing kit claim to support over 54 financial organizations with customized pages and localized templates. Localized templates are used to present a more convincing lure as it presents pages in multiple languages that are used by the legitimate website.
The table below shows some of the organizations that were targeted by V3B. More examples of targeted organizations are shown in Figure 7.
Country | Financial Institution |
Netherlands | ABN |
Triodos | |
Rabo | |
German | Sparkasse |
Santander | |
Targobank | |
France | BNP Paribas |
Societe Generales | |
Credit Agricole | |
Spain | BBVA |
Caixa | |
Bankia | |
Poland | iPKO |
Finland | Saasto |
Nordea | |
Opfi | |
Austria | Bawag |
Volksbank | |
Easybank | |
Greece | Alpha |
Winbank | |
Eurobank | |
Italy | Banco BPM |
Capabilities
One-time Password Request
As banks and other financial institutions start to increasingly support one-time password requests, V3B developers have included the ability to request tokens in their admin panel. This allows threat actors to collect OTPs that are received by the victims.
PhotoTAN and Smart ID Support
Resecurity researchers have also identified that V3B phishing kits have the ability to request a PhotoTAN. A transaction authentication number (TAN) is used by banking providers to authenticate transactions. Similar to the OTP, this is used as an additional factor of authentication during transactions. A PhotoTAN is similar to a QR code since it is an image that is generated on screen.
Conclusion
Phishing kits are a common tool used by financially motivated threat actors to target individual users. The ability to rapidly deploy phishing pages that can target multiple institutions at once allows actors to rapidly scale and tailor their campaigns to specific audiences. As phishing kits become more sophisticated, they are incorporating features that make them more difficult to detect, such as bot detection or IP location filters. These are used to ensure that the phishing page is only displayed to certain users.
Recommendations
The best way to protect yourself from phishing scams is to adopt a trust but verify approach and spread user awareness.
- Never click on attachments or links from unexpected senders
- Review content of SMS messages from those claiming to be financial institutions carefully
- If the message requests you to contact your bank, validate that the number provided matches the bank’s actual number (check your bank card)
- It is safer to directly contact the bank rather than interacting with the number or link provided in the message if you are unsure
- Enforce and use multi-factor authentication of accounts where possible
- Use unique or strong passwords for all accounts
Tools to Identify Phishing Kits
The following are some resources we came across while researching phishing kits. Some are examples of phishing kits, while others are tools that can be used to detect kits.
🛠️ Indicator of Kit
Indicator of Kit is an open-source detection language for phishing kits based on Sigma. The project contains YAML files for several different phishing kits along with links to examples in urlscan.io.
🛠️ PhishingKit-Yara-Rules
This is a github repository containing Yara rules that match on the content of zip archives for different phishing kits.
Other github repositories include:
- Phishing_kits: A list of phishing kit zip archives
- StalkPhish-OSS: An open-source tool that searches databases for phishing URLs
V3B Indicators of Compromise
The table below contains all V3B Phishing Kit network IoCs that have been identified, aggregated, and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat="V3B Phishing Kit" and is available for export in multiple formats (CSV, STIX 2.1, JSON).
V3B Phishing Kit IOCs |
nl-bunq-bijwerkerking[.]com |
verifieer-gegevens[.]com |
abn-amro-gobal[.]com |
accounxt[.]bitvaqvio[.]nl-csdki[.]com |
icscards-nl[.]com |
belastingdienst-schuld[.]nl |
icscardsvoorschriften[.]nl |
belastingoverzicht[.]info |
bezoeknummer48912543221[.]info |
kundenaktualisierungen[.]cc |
black-loans7[.]shop |
mijni-cs[.]bezoeknummer0734859938[.]info |
bltvavo-bevestig[.]nt8zd3[.]ru |
nl-appverifi[.]com |
bunq-app-nl[.]net |
hxxps[://]mijni-cs[.]bezoeknummer0734859938[.]info/sca/7a970cab144c3e89685550829fe62941/login |
reaktivieren-icscard[.]nl |
ics-cards[.]org |
V3B MITRE ATT&CK TTPs
Technique | Tactic |
Collection | GUI Input Capture |
Command and Control | Bidirectional Communication |
Protocol Impersonation | |
Credential Access | GUI Input Capture |
Multi-Factor Authentication Request Generation | |
Steal Web Session Cookie | |
Unsecured Credentials | |
Defense Evasion | Debugger Evasion |
Discovery | Debugger Evasion |
Execution | User Execution |
Exfiltration | Exfiltration Over C2 Channel (T1041) |
Initial Access | Phishing (T1566) |