Deutsche Bank, ING among targets of phishing kit for novices

• Key insight: The “Spiderman” tool kit lowers the entry barrier for cybercrime, allowing novices to launch sophisticated phishing attacks against major European banks with minimal effort.
• Expert quote: “It reduces European bank phishing to a few clicks: pick a bank, launch a pixel-perfect clone, and send a ready-made lure that looks like it came from the real institution,” according to a report by Varonis Threat Labs.
• Supporting data: A Signal chat group linked to the Spiderman seller already hosts roughly 750 members, indicating an active and growing user community for the tool.

Overview bullets generated by AI with editorial review

Processing Content

A hacker tool kit that enables low-skill cybercriminals to execute more effective attacks is targeting customers of major European financial institutions, including Deutsche Bank, Commerzbank and ING.

The kit is the latest in the phishing-as-a-service economy, in which cybercriminals sell novice hackers tools designed to lower the barrier to entry for fraud — specifically phishing. As these tool kits become more accessible to small-time criminals, it complicates defense strategies for banks.

The Spiderman kit allows attackers to replicate banks’ login portals with minimal effort, providing a platform to launch campaigns and manage stolen data. Hackers can then send links to these faux login pages using whatever method they prefer, whether in a scam email, text message, malicious advertisement on a search engine or something else.

“In practice, it reduces European bank phishing to a few clicks: pick a bank, launch a pixel-perfect clone, and send a ready-made lure that looks like it came from the real institution,” according to a report this week from cybersecurity firm Varonis Threat Labs about the Spiderman tool kit.

Spiderman and similar modern tool kits stand out for their ability to bypass traditional security measures, specifically multifactor authentication.

The kit includes modules to capture credentials such as one-time passwords in real time. These modules can also capture so-called PhotoTAN codes, which work similarly to payments made by scanning a QR code.

Once a victim inputs their data on the phishing site, the operator can view the session live and trigger additional prompts to harvest phone numbers, dates of birth and credit card numbers.

The kit also filters traffic to evade detection by security researchers. Specifically, it only allows traffic from targeted regions — such as Germany, Austria and Switzerland — to reach the malicious landing pages, ensuring the trap ensnares victims but doesn’t let researchers take a closer look.

The phishing-as-a-service economy

The development of Spiderman highlights the maturing business model of phishing-as-a-service, in which developers sell ready-made attack infrastructure to other criminals on a subscription basis.

U.S. banks have faced similar threats from platforms such as Robin Banks, a phishing-as-a-service operation. Robin Banks sold phishing kits targeting customers of Bank of America, Wells Fargo, Capital One and Citi, according to a 2022 report from IronNet.

These platforms operate with the efficiency of legitimate software companies, offering user-friendly dashboards, 24/7 customer support and regular updates.

For a monthly fee — in the case of Robin Banks, as low as $50 for a single page or $200 for full access — criminals can lease the ability to convincingly imitate login pages for large banks and tech companies.

Bypassing multifactor authentication

These tools harm the efficacy of less secure methods of multifactor authentication, such as emailed or texted one-time passcodes.

Indeed, the market has also seen the rise of one-time password bots, which are automated tools that trick victims into revealing authentication codes via spoofed voice calls or text messages.

In this same vein, cybercriminals use tools such as EvilProxy (also known as Moloch) to monitor traffic between a user and a legitimate website, according to a 2022 report from Resecurity. This allows the criminal to harvest session cookies and bypass the need to authenticate with usernames, passwords or multifactor authentication tokens.

Cybercriminals often openly advertise these services online and in messaging apps. On one such app, Signal, a chat group linked to the seller behind Spiderman currently hosts roughly 750 members, suggesting it has an active and growing user community, according to Varonis’ report on the tool kit.

Similarly, cybercriminals on messaging app Telegram sell access to one-time password bots for anywhere from $40 per week to $4,000 for lifetime access, according to a guide published last year by fraud prevention firm Sift.