A phishing campaign targeting European bank customers leveraged the V3B Phishing Kit, with an expanded IoC set uncovered through WhoisXMLAPI indicating extensive domain-based infrastructure. The research highlights include hundreds of IoCs across domains, IPs, and registrant data, plus downloadable full findings for deeper analysis. #V3BPhishingKit #DNSLens #bunqAppNlNet #WhoisXMLAPI
Keypoints
- The campaign targeted customers of several European banks using the V3B Phishing Kit, illustrating ongoing phishing risks and the role of ready-made cybercrime tools.
- WhoisXMLAPI expanded the IoCs to include 177 email-connected domains, nine IP addresses (eight malicious), 43 IP-connected domains, 10 string-connected domains, 32 brand-containing domains, and 4,537 registrant-connected domains (490 threats).
- The full research sample is a preview; complete findings and samples are downloadable from the researchers’ website.
- IoCs show a wide distribution of domain registrations across multiple registrars, with Hostinger leading (six domains) and a mix of others like NameSilo, Tucows, and GoDaddy.
- Newly registered domains (NRDs) dominated the IoCs, with 25 created in 2024; some domains lacked creation dates in WHOIS records.
- Geographic distribution of domain IoCs was led by the United States (12 domains), followed by the Netherlands (3) and several single-domain entries from France, Saint Kitts and Nevis, and Spain; 10 IoCs had no registrant country data.
- One IoC, bunq-app-nl[.]net, contained public registrant name and organization data in its WHOIS record, illustrating exposure risk.
MITRE Techniques
- [T1566.001] Phishing – The attackers used a phishing kit to target bank customers; “Phishing is and remains a top threat… phishers get extra help from phishing kits—ready-made cybercrime tools that allow even cybercriminal newbies to launch attacks…”
- [T1583.001] Acquire Infrastructure – Domain Registration – The IoCs were distributed across registrars, with NRDs (25 created in 2024) and multiple registrar leaders (e.g., “The domain IoCs were distributed among 14 registrars led by Hostinger Operations UAB…”)
- [T1071.004] Application Layer Protocol: DNS – DNS lookups and domain resolution of IoCs were used to map infrastructure and identify related IPs; “Next, we conducted DNS lookups for the 28 domains tagged as IoCs and found that they resolved to nine unique IP addresses, eight of which turned out to be associated with various threats according to Threat Intelligence Lookup.”
Indicators of Compromise
- [Domain] IoCs – bunq-app-nl[.]net, and 2 more domains identified through bulk WHOIS and DNS analysis (177 email-connected domains, 43 IP-connected domains, 32 brand-containing domains, 4,537 registrant-connected domains, 490 associated with threats)
- [IP Address] IoCs – 9 unique IP addresses identified via DNS lookups; 8 of them linked to threats
- [Email Address] IoCs – 15 email addresses found in historical WHOIS records; 8 public in current records
Read more: https://circleid.com/posts/20240705-a-peek-at-the-v3b-phishing-kit-attack-via-the-dns-lens