A new phishing framework allows attackers to deploy branded banking portals with minimal effort.
What happened
Security researchers have identified a phishing framework known as Spiderman that enables attackers to generate realistic banking login pages through an automated interface. According to reporting by Cyber Security News, the kit targets customers of multiple European banks and cryptocurrency platforms, allowing operators to select a brand and deploy a matching phishing page within minutes.
Going deeper
Unlike traditional phishing scripts that focus on a single brand, Spiderman operates as a centralized platform that supports dozens of financial institutions. The framework removes the need for web development skills by handling page creation, hosting logic, and brand styling automatically. Attackers can switch targets quickly, enabling campaigns across multiple regions at the same time. Researchers observed that the kit includes live session monitoring, which allows operators to see victim activity in real time and request additional information as the interaction unfolds.
What was said
Researchers say the kit includes functionality designed to capture one-time passwords and PhotoTAN codes as victims attempt to log in, allowing attackers to bypass multi-factor authentication during active sessions. The platform also includes traffic filtering controls that restrict access by country, device type, or network source. These filters help the phishing pages remain online longer by blocking security scanners, virtual private networks, and data center traffic. Analysts also noted support for cryptocurrency theft, including modules that request wallet seed phrases for common consumer wallets.
The big picture
According to eSecurityPlanet, the Spiderman phishing kit reflects a shift in cybercrime, where “turnkey cybercrime kits are closing the gap between sophisticated threat actors and less experienced criminal operators.” Tools like Spiderman package intricate capabilities, automated site cloning, live session handling, and anti-analysis features into interfaces that require little technical skill. The ease of use is accelerating both the scale and speed of financial phishing campaigns across Europe. As these kits continue to lower the barrier to entry, eSecurityPlanet notes that many financial institutions are being forced to rethink whether traditional perimeter defenses are enough, with growing focus on “how foundational security models like zero trust can better contain the impact of compromised user interactions.”
FAQs
Why do phishing kits target multiple banks at once?
Supporting many brands allows attackers to pivot quickly when one campaign is disrupted and to target victims across different countries.
How does live session monitoring help attackers?
It allows operators to react instantly to victim input, request additional verification codes, and complete fraudulent transactions before sessions expire.
Why are mobile users often more vulnerable?
Smaller screens hide full URLs and security indicators, making it harder to spot subtle domain differences.
What makes these kits difficult to detect?
Traffic filtering blocks security scanners and limits exposure, which helps phishing pages stay active longer.
How can banks and users reduce risk?
Banks can monitor for cloned pages and enforce transaction-level verification, while users should verify URLs carefully and avoid entering credentials through unsolicited links.
Farah Amod
