Ian Matthews, CEO at WMC Global presents an overview of a worrying new phishing threat to mobile users identified by the WMC Global Threat Intelligence Team, and outlines in detail some of the ways to mitigate such attacks and what consumers and businesses should do to defend their data.

Dynamic Phishing Kits Targeting UK Financial Institutions & Brands

Phishing kits allow threat actors to quickly assemble a theft operation with minimal skill or experience. While today’s organizations are updating their defensive postures, threat actors are returning the favor, finding new, creative ways to target personal and financial data. Today we are looking at Kr3pto phishing kits, dynamic kits that can bypass multi-factor authentication and that’s quickly gaining popularity online. What have become known as Puppeteer Kits or Live Kits, they are highly valuable and enable threat actors to deploy dynamic fraud attempts.

First detected in July 2020,  there have been on average more than 50 new phishing URLs launched every day using kits attributed to Kr3pto.

What’s more, these phishing kits are dynamic, allowing threat actors to siphon login credentials, personal details, and two-factor authentication information in real-time. This makes Kr3pto kits more problematic than traditional, static kits that are becoming easier for organizations to thwart.

WMC Global has observed phishing campaigns attributed to Kr3pto using smishing (SMS phishing) messages to get users to click on phishing links landing them on the phishing sites. We’ve identified Kr3pto-linked kits targeting Halifax, Lloyds, Natwest, TSB, and HSBC.

When victims follow the link, they are presented with a clone of real banking sites. They are prompted to enter their login credentials and, if necessary, two-factor authentication credentials requested by threat actors.

Notably, Kr3pto Puppeteer Kits use cookies to identify returning victims, allowing threat actors to redirect duplicate victims and avoid security professionals investigating their efforts.

Fast, Efficient Theft

Kr3pto Puppeteer Kits include lures, optional gateways, and a control panel that allows threat actors to operate multiple lures at once. The control panel is distinctive, equipping threat actors to manage multiple entire phishing operations from a single platform in real-time.

These phishing sites ask victims to wait or show a loading page while the threat actor manually logs in to the victim’s bank account. While modern security standards require secondary account validation, Kr3pto Puppeteer Kits equip threat actors to manually adjust the phishing page’s response to the victim.

For instance, if the bank requires two-factor authentication via SMS, the bank will send the 2FA code as the actor logs into the account. Or the bank might request certain letters from the users’ memorable word or phrase. Those codes are then input into the fraudulent page, allowing threat actors to gather and apply this information to victims’ accounts.

A threat actor can deploy several other security control options, including customizable memorable letters, asking the victim to call a specific number, which could be changed to the threat actor’s contact information.

  This simple but expensive design allows threat actors to target multiple financial institutions at once to maximize returns. In addition, the control panel configuration allows teams of threat actors to collaboratively, expanding their scope and effectiveness.“

Traditional phishing kits can only transition stolen credentials to a configured email address. Kr3pto Puppeteer Kits offer a dynamic solution, enabling threat actors to acquire real-time security codes and two-factor authentication data.

This simple but expensive design allows threat actors to target multiple financial institutions at once to maximize returns. In addition, the control panel configuration allows teams of threat actors to collaboratively, expanding their scope and effectiveness.

Taken together, Kr3pto threat actors have extensive capabilities to target UK banking customers with sophisticated phishing scams that compromise personal and financial data.

Intel & Assertions

Currently, there are two distinct websites with the same fingerprint: Kr3pto LLC & AUTOSHOP.

A Telegram channel for Kr3pto LLC sells credentials for brands, including Chase, PayPal, and Fullz. Arranged by log required, stolen credentials sell at various prices depending on the country of residence.

When engaged in a chat, the actor claimed to be selling the UK live banking kits for £1k each. Along with access to a secret forum for £1k. The forum claim was unsubstantiated. What’s more, the pay-for-access component feels fraudulent as competent threat actors are not joining forums where LE and security researchers are allowed access. The actor showed an awareness of public and open-source reporting on them and their kits.

The actor’s English was good but not perfect, showing they are not a native English speaker. Even so, they are fluent in the language with good spelling and grammar; however, a more complex English sentence structure was lacking.

Currently, the threat actor’s online store has a large number of credentials for sale. Since many phishing sites are stood up every day with similar TTPs, it appears managed by a single actor.

Fortunately, we have not seen an increase in credential stuffing attacks hitting UK financial institutions (FIs) or other services, making it possible that Kr3pto is standing the sites up themselves, harvesting the credentials, and selling them in their store.

While the workflow remains unclear, it is highly possible the whole process is fully automated, allowing for a continuous stream of fresh credentials to enter the marketplace.