Пожалуйста, обратите внимание, что пользователь заблокирован
Fast, Efficient Theft
Kr3pto Puppeteer Kits include lures, optional gateways, and a control panel that allows threat actors to operate multiple lures at once. The control panel is distinctive, equipping threat actors to manage multiple entire phishing operations from a single platform in real-time.
These phishing sites ask victims to wait or show a loading page while the threat actor manually logs in to the victim’s bank account. While modern security standards require secondary account validation, Kr3pto Puppeteer Kits equip threat actors to manually adjust the phishing page's response to the victim.
For instance, if the bank requires two-factor authentication via SMS, the bank will send the 2FA code as the actor logs into the account. Or the bank might request certain letters from the users' memorable word or phrase. Those codes are then input into the fraudulent page, allowing threat actors to gather and apply this information to victims’ accounts.
A threat actor can deploy several other security control options, including customizable memorable letters, asking the victim to call a specific number, which could be changed to the threat actor’s contact information. Specifically, we’ve identified examples of threat actors deploying the following options:
ASK Memorable Chars - Request 3 memorable characters from a victim’s memorable word. The 3 chars can be selected by the threat actor.
ASK Full Memorable - Request the full memorable word.
Give Code - Give a code to the user as a form of integrity check for the bank.
ASK Call - Ask the victim to phone a number.
ASK LOGIN AGAIN - Request username and password again.
Finish - Show completed and return the user to a legitimate banking website.
Traditional phishing kits can only transition stolen credentials to a configured email address. Kr3pto Puppeteer Kits offer a dynamic solution, enabling threat actors to acquire real-time security codes and two-factor authentication data.
This simple but expensive design allows threat actors to target multiple financial institutions at once to maximize returns. In addition, the control panel configuration allows teams of threat actors to collaboratively, expanding their scope and effectiveness.
Taken together, Kr3pto threat actors have extensive capabilities to target UK banking customers with sophisticated phishing scams that compromise personal and financial data.
Intel and assertions
Currently, there are two distinct websites with the same fingerprint: Kr3pto LLC & AUTOSHOP.
A Telegram channel for Kr3pto LLC sells credentials for brands, including Chase, PayPal, and Fullz. Arranged by log required, stolen credentials sell at various prices depending on the country of residence.
When engaged in a chat, the actor claimed to be selling the UK live banking kits for £1k each. Along with access to a secret forum for £1k. The forum claim was unsubstantiated. What’s more, the pay-for-access component feels fraudulent as competent threat actors are not joining forums where LE and security researchers are allowed access. The actor showed an awareness of public and open-source reporting on them and their kits.
The actor’s English was good but not perfect, showing they are not a native English speaker. Even so, they are fluent in the language with good spelling and grammar; however, a more complex English sentence structure was lacking.
Currently, the threat actor’s online store has a large number of credentials for sale. Since many phishing sites are stood up every day with similar TTPs, it appears managed by a single actor.
Fortunately, we have not seen an increase in credential stuffing attacks hitting UK financial institutions (FIs) or other services, making it possible that Kr3pto is standing the sites up themselves, harvesting the credentials, and selling them in their store.
While the workflow remains unclear, it is highly possible the whole process is fully automated, allowing for a continuous stream of fresh credentials to enter the marketplace.
Source:https://www.wmcglobal.com/blog/kr3p...c-phishing-kit-targeting-uk-banking-customers
Fast, Efficient Theft
Kr3pto Puppeteer Kits include lures, optional gateways, and a control panel that allows threat actors to operate multiple lures at once. The control panel is distinctive, equipping threat actors to manage multiple entire phishing operations from a single platform in real-time.
These phishing sites ask victims to wait or show a loading page while the threat actor manually logs in to the victim’s bank account. While modern security standards require secondary account validation, Kr3pto Puppeteer Kits equip threat actors to manually adjust the phishing page's response to the victim.
For instance, if the bank requires two-factor authentication via SMS, the bank will send the 2FA code as the actor logs into the account. Or the bank might request certain letters from the users' memorable word or phrase. Those codes are then input into the fraudulent page, allowing threat actors to gather and apply this information to victims’ accounts.
A threat actor can deploy several other security control options, including customizable memorable letters, asking the victim to call a specific number, which could be changed to the threat actor’s contact information. Specifically, we’ve identified examples of threat actors deploying the following options:
ASK Memorable Chars - Request 3 memorable characters from a victim’s memorable word. The 3 chars can be selected by the threat actor.
ASK Full Memorable - Request the full memorable word.
Give Code - Give a code to the user as a form of integrity check for the bank.
ASK Call - Ask the victim to phone a number.
ASK LOGIN AGAIN - Request username and password again.
Finish - Show completed and return the user to a legitimate banking website.
Traditional phishing kits can only transition stolen credentials to a configured email address. Kr3pto Puppeteer Kits offer a dynamic solution, enabling threat actors to acquire real-time security codes and two-factor authentication data.
This simple but expensive design allows threat actors to target multiple financial institutions at once to maximize returns. In addition, the control panel configuration allows teams of threat actors to collaboratively, expanding their scope and effectiveness.
Taken together, Kr3pto threat actors have extensive capabilities to target UK banking customers with sophisticated phishing scams that compromise personal and financial data.
Intel and assertions
Currently, there are two distinct websites with the same fingerprint: Kr3pto LLC & AUTOSHOP.
A Telegram channel for Kr3pto LLC sells credentials for brands, including Chase, PayPal, and Fullz. Arranged by log required, stolen credentials sell at various prices depending on the country of residence.
When engaged in a chat, the actor claimed to be selling the UK live banking kits for £1k each. Along with access to a secret forum for £1k. The forum claim was unsubstantiated. What’s more, the pay-for-access component feels fraudulent as competent threat actors are not joining forums where LE and security researchers are allowed access. The actor showed an awareness of public and open-source reporting on them and their kits.
The actor’s English was good but not perfect, showing they are not a native English speaker. Even so, they are fluent in the language with good spelling and grammar; however, a more complex English sentence structure was lacking.
Currently, the threat actor’s online store has a large number of credentials for sale. Since many phishing sites are stood up every day with similar TTPs, it appears managed by a single actor.
Fortunately, we have not seen an increase in credential stuffing attacks hitting UK financial institutions (FIs) or other services, making it possible that Kr3pto is standing the sites up themselves, harvesting the credentials, and selling them in their store.
While the workflow remains unclear, it is highly possible the whole process is fully automated, allowing for a continuous stream of fresh credentials to enter the marketplace.
Source:https://www.wmcglobal.com/blog/kr3p...c-phishing-kit-targeting-uk-banking-customers