Analysis: Phishing kit V3B is tailored to Commerzbank, Sparkasse & Co.
Security researchers have investigated the machinations surrounding an online banking malware that is active throughout Europe.
(Image: JARIRIYAWAT/Shutterstock.com)
Using the malware-as-a-service model, criminals can rent the V3B phishing kit for a monthly fee. V3B is tailored to European banks in order to tap into customer data. This includes several banks in Germany. Security researchers from Resecurity have now analyzed the malware.
Background
Accordingto their report, the kit is currently optimized for 54 European banks. In Germany, these include Commerzbank, Deutsche Bank, DKB, Hypovereinsbank, O2, Targo and Volksbank. However, the cybercriminals are obviously no longer up to date, at least in Germany: the O2 banking service was discontinued in 2022.
(Image: Resecurity)
According to the researchers, the phishing kit comes with several modules to steal access data and two-factor authentication codes (2FA) for online banking, among other things.
Possibilities of the malware
The extent of the attacks is currently unknown. The researchers state that the criminals are organized in a Telegram group with over 1255 members. The monthly price for the malware is said to be between 130 and 450 US dollars. The costs are made up of the available modules and the code adapted to specific banks.
The researchers state that the criminals regularly update their malicious code to make it more difficult for virus scanners to detect. This includes, for example, optimized methods for copying log-in data in order to mislead IT security tools through code obfuscation.
The kit should even allow a live chat with victims so that fraudsters can tap into personal data disguised as bank employees. There is even a module tailored to German banks to intercept 2FA codes generated via the PhotoTAN process. The researchers are not currently explaining how this works in detail.
V3B uses the Telegram API to ensure that the captured data ends up with the criminals. This means that the fraudsters are notified immediately and can misuse the data.
Recognizing indications of attacks
The authors of the report do not currently explain how the attacks work in detail. In this context, they refer to various social engineering tactics. It can be assumed that the attacks are initiated via phishing emails and websites.
At the end of their report, the researchers list several tips on how to recognize systems that have already been attacked. These include MD5 hashes of malicious code files and URLs such as kundenaktualisierungen.cc.
(des)
