Cyber Threat Intelligence: Phishing x Bank Kit

New Vssrtje threat actor markets phishing kit threatening European and French banks

A new threat actor, the Vssrtje group, is offering fraudsters sophisticated phishing kits targeting EU banking customers. These kits intercept sensitive information, such as IDs and SMS/OTP (One Time Password) codes, using social engineering techniques. Distributed under the Phishing-as-a-Service (PhaaS) model and self-hosted, the "V3B" kit is promoted on the Telegram channel @vssrtjepanels, administered by @Vssrtje and created on May 27, 2023 but active since February 20 (Previous posts may have been deleted). This Telegram channel has more than 1263 members as of June 11, 2024, which testifies to the scale of their activities. Hundreds of cybercriminals have adopted the V3B kit, leaving victims with empty bank accounts.

Member profile

Most of the members of this chain are cybercriminals specializing in various forms of fraud, such as social engineering, SIM card swapping, bank and credit card fraud. At present, it is not possible to formally identify the countries from which they operate.

These malicious actors mainly target banks in the EU, including France, resulting in significant financial losses for European banking customers, estimated at several million euros.

With the increase in these attacks on banking institutions, we can observe in parallel the growth of financial mule networks in Europe. Financial mules play a crucial role in money laundering and the transfer of stolen funds, making it more difficult to trace and identify the perpetrators of these crimes.

Types of victims

The victims of these phishing kits, each customized to target specific banks, are customers of 54 banking institutions including the following French banks:

  • Caisse d'Epargne
  • Banque Populaire
  • Boursorama Banque
  • Société Générale
  • HSBC
  • Hello Bank
  • BNP Paribas
  • ING Bank
  • AXA Bank
  • Crédit Agricole

Price and features

The price of the phishing kit ranges from $80 to $450 per month, payable in crypto-currency. The cost depends on the specific modules and banks supported. The kit's author regularly releases updates and adds new features to evade detection, such as improved credential-stealing algorithms and advanced obfuscation techniques.

How it works

The V3B phishing kit supports over 54 financial institutions by offering customized, localized templates. These templates mimic the authentication and verification processes of online banking and e-commerce systems across the EU, ensuring a realistic appearance tailored to each targeted institution.

Phishing kit code is encrypted and obfuscated via JavaScript to escape detection by anti-phishing systems and search engines, protecting its source code from signature analysis.

It includes advanced features such as updated tokens, anti-bot measures, mobile and desktop interfaces, live chat with victims, and support for OTP/TAN/2FA, including QR codes and PhotoTAN.

Built on a customized CMS with obfuscated scenarios, the kit ensures prolonged online persistence while escaping detection.

Features

The uPanel enables fraudsters to initiate an OTP or token request, prompting victims to enter their codes, which the fraudsters then use to verify transactions. The kit uses the Telegram API as a communication channel to transmit intercepted payment data to the fraudster, alerting him to the success of the attack.

An advanced anti-bot system detects and prevents detection by bots, robots and security tools. The kit offers advanced localization capabilities, with pages translated into several languages, including Finnish, French, Italian, Polish and German.

The phishing kit incorporates an advanced system enabling fraudsters to interact with victims in real time. For example, an actor can prompt a victim to enter a PushTAN code and trigger an OTP request via SMS to collect it, thus bypassing OTP validation. When a victim accesses the phishing page, the fraudster is immediately informed via a proactive "warning", enabling him to trigger specific actions.

Different combinations of triggers enable direct, real-time interaction with the victim, giving the phishing kit the ability to carry out specific actions. This facilitates illegal access to accounts and the execution of fraudulent transactions.

Events triggered by the kit

The phishing kit triggers a series of events, such as requests for login, SMS/OTP, credit card information, phone numbers, e-mail addresses and dates of birth. It also includes PhotoTAN, SmartID and QR code requests, as well as the display of personalized notifications and data from MFA applications.

This wide range of events makes it possible to target a large number of banks. Using advanced techniques, the kit manages to bypass most current security measures, rendering traditional protection ineffective against these sophisticated attacks. Fraudsters are thus able to exploit compromised access to efficiently gather sensitive information.

The kit is designed to be extremely adaptable and can be configured to meet specific requirements, maximizing its effectiveness and reach in phishing campaigns. This flexibility keeps it one step ahead of the new security measures introduced by financial institutions, ensuring that attacks remain effective even in the face of increasingly sophisticated defense systems.

Analysis and outlook with the arrival of the NIS 2 directive

The European Union, with its developed economy and mature financial system, is particularly vulnerable, with estimated losses of hundreds of millions of euros due to cybercrime and financial fraud. Cybercrime is a major global economic threat, with estimated losses of $11.50 trillion by 2023. Forecasts by the FBI, IMF and other organizations indicate that cybercrime could reach $23 trillion by 2027, representing a growing concern for organizations of all sizes.

Phishing kits like V3B, available on the Dark Web, contribute to these significant losses. Easily accessible and affordable, these tools enable fraudsters to cause massive financial losses.

To effectively prevent fraud, banks need to take a proactive approach by gathering intelligence on the Dark Web, keeping abreast of tools such as V3B, and continually updating their security strategies and controls. This involves monitoring the Dark Web to identify new tools and techniques used by cybercriminals, as well as improving authentication and verification processes to prevent fraudulent activity.

The Network and Information Systems Directive 2 (NIS2), adopted by the European Union, aims to strengthen the cybersecurity of critical infrastructures, including the banking sector. In response to the increase in cyberthreats, NIS2 imposes stricter obligations on critical entities, including banks, to improve their resilience to cyberattacks. The preventive measures described above are in line with the requirements of the NIS2 directive.

In particular, proactive monitoring and information sharing meet NIS2 requirements for continuous threat monitoring and increased collaboration between entities to share cyberthreat intelligence.

Gathering intelligence on the Dark Web and updating banking security strategies enable institutions to prepare and respond quickly to new threats such as V3B phishing kits.

By integrating these measures, banks can not only comply with the NIS2 directive, but also significantly reduce their exposure to cyber risks, thereby helping to protect the entire EU financial system.


Download PDF