Resecurity identifies a V3B phishing kit sold via Phishing-as-a-Service that targets EU banking customers, stealing credentials and OTPs through sophisticated social engineering and localized, multi-bank templates. The operation is led by the actor alias “Vssrtje,” with a growing Telegram-based community and a two-component kit (V3B for credential interception and uPanel for OTP collection). #V3B #Vssrtje
Keypoints
- The V3B phishing kit is distributed through a Phishing-as-a-Service model and is self-hostable, designed to intercept banking credentials and OTP codes from EU customers.
- One key actor, alias “Vssrtje,” began operations in March 2023, promoting V3B on Telegram and Dark Web communities, with hundreds of criminals using the kit.
- EU-targeted banks span Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy, with localized templates for over 54 institutions.
- The kit combines a credential-interception system (V3B) with mimic online-banking login pages and an admin panel (uPanel) to harvest OTPs and trigger fraud.
- Advanced features include encryption/obfuscation, anti-bot measures, multi-language pages, live chat, and support for OTP/TAN/2FA, including QR Codes and PhotoTAN.
- QR code login jacking and other novel methods (PhotoTAN, Smart ID) are among the techniques used to bypass authentication and capture session data.
MITRE Techniques
- [T1566.001] Phishing – The kit targets victims by presenting credential-interception flows and mimic online-banking pages to capture login details. ‘The phishing kit … is comprised of two primary components: a scenario-based credential interception system (V3B), and mimic online-banking authorization pages.’
- [T1036] Masquerading – The phishing pages imitate legitimate online banking authentication interfaces to deceive victims. ‘mimic online-banking authorization pages.’
- [T1027] Obfuscated/Compressed Files and Information – The live kits use heavily obfuscated code to evade security detection. ‘Encrypted Code … obfuscated (via JavaScript) in multiple ways to evade detection by anti-phishing systems, search engines and protect its source codes from signature analysis.’
- [T1071.001] Web Protocols – Exfiltration/communication of intercepted data uses Web protocols via Telegram API to transmit data to the fraudster. ‘The phishing kit uses Telegram API as a communication channel to transmit intercepted payment data to the fraudster.’
- [T1562.001] Impair Defenses – Anti-bot measures are built to detect and prevent detection by bots and security tools. ‘The phishing kit has an advanced anti-bot system that detects and prevents detection by bots, robots, and security tools.’
Indicators of Compromise
- [MD5 Hash] V3B-related artifacts – 9589194ff77c2edb9a2e89765f570c5e, 3151764ce732dae8b863e15042ec2ac3, and 2 more hashes
- [Domain Name] Phishing sites and infrastructure – kundenaktualiseringen[.]cc, icscards-nl[.]com, and other domains