A new phishing kit called Spiderman is being used by cybercriminals to target customers of several European banks and cryptocurrency services.
The kit creates pixel-perfect copies of legitimate websites, making it difficult for victims to notice they are on a fake page. According to researchers at Varonis, the platform enables attackers to run phishing campaigns that can steal login credentials, two-factor authentication codes, credit card information, and even seed phrases for cryptocurrency wallets like Ledger, Metamask, and Exodus.
The investigation shows that Spiderman currently targets financial institutions across five European countries, including well-known names such as Deutsche Bank, ING, Comdirect, CaixaBank, Volksbank, Blau, and O2. It also supports phishing pages for fintech services like Klarna and PayPal. Because the kit is modular, its creators can easily add new banks, authentication methods, or updated login flows as European e-banking systems evolve. Researchers also discovered that the kit is growing in popularity, with one Signal group connected to Spiderman having around 750 members.
The phishing kit includes a control panel where attackers can watch victims’ sessions in real time, collect credentials, export stolen data with one click, intercept PhotoTAN or other one-time passcodes, and gather credit card details. PhotoTAN is a common security method used by European banks where users scan a colorful mosaic image with their bank’s mobile app to generate a transaction-specific code. While this technique has been targeted before, it remains an important feature for phishing kits aimed at European users. Operators can customize their attacks by choosing specific countries, filtering victims by device type, setting ISP restrictions, and redirecting anyone who doesn’t fit their criteria.
Varonis warns that stolen information collected through Spiderman can lead to serious consequences such as bank account takeovers, SIM-swapping attacks, credit card fraud, and identity theft. Since these attacks rely on victims clicking a malicious link, the best protection is to always double-check the website’s domain before entering login details. Users should also be aware of “browser-in-the-browser” attacks that mimic real browser windows. Receiving an unexpected SMS code or PhotoTAN prompt is a strong sign that someone may be trying to access your account, and it should be reported to your bank immediately.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
