Varonis researchers have discovered a new PhaaS platform, called Spiderman, that targets users of European banks and cryptocurrency services. Attackers use the service to create copies of legitimate websites to steal login credentials, 2FA codes, and credit card information.
According to experts, the platform is aimed at financial institutions from five European countries and large banks such as Deutsche Bank, ING, Comdirect, Blau, O2, CaixaBank, Volksbank and Commerzbank.
However, attacks are not limited to banks.
Spiderman can also create phishing pages for fintech services like Klarna and PayPal in Sweden. Additionally, the platform supports seed theft for cryptocurrency wallets like Ledger, Metamask, and Exodus.
“Because Spiderman is modular, it can easily adapt to new banks, portals, and authentication methods. As European countries upgrade their online banking systems, the service will likely evolve alongside them,” Varonis researchers note.
Through Spiderman’s web dashboard, operators can monitor victims’ sessions in real time, export data with a single click, intercept credentials, PhotoTANs, and one-time passwords on the fly, and collect credit card information.
PhotoTAN is a one-time password system widely used by European banks. When logging in or confirming a transaction, the user is shown a colored mosaic that must be scanned using the bank’s app. The app decrypts the mosaic, generates an OTP for the specific transaction , and the user enters this code on the website.
Spiderman operators also have access to targeting settings through the control panel: they can limit attacks to specific countries, whitelist providers, filter victims by device type (mobile or desktop users), and set up redirects for visitors not suitable for phishing.
Researchers emphasize that all phishing kits rely on the victim clicking on a link and being redirected to a fake login page.
Therefore, the best defense against such attacks is to always carefully check the domain before entering your credentials. It’s also worth watching out for fake “browser-in-the-browser” windows, which may display the correct URL.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
