A Peek at the V3B Phishing Kit Attack via the DNS Lens

Phishing is and remains a top threat. Google alone blocks around 100 million phishing emails daily, and it doesn’t help that phishers get extra help from phishing kits—ready-made cybercrime tools that allow even cybercriminal newbies to launch attacks following a few simple steps.

Resecurity recently uncovered a phishing campaign targeting the customers of several European banks aided by the V3B Phishing Kit. The company’s research on the threat identified 28 domains as indicators of compromise (IoCs).

The WhoisXML API research team expanded the current list of IoCs in a bid to identify other potentially connected artifacts and found:

• 177 email-connected domains
• Nine IP addresses, eight of which turned out to be malicious
• 43 IP-connected domains
• 10 string-connected domains
• 32 brand-containing domains
• 4,537 registrant-connected domains, 490 of which were associated with various threats

Note that this post contains only a preview of our findings. The full research, including a sample of the additional artifacts obtained from our analysis are available for download from our website.

IoC Facts

To find out more about the threat, we began by looking into the WHOIS records of the 28 domains tagged as IoCs via a bulk WHOIS lookup. Our query gave the following results:

• The domain IoCs were distributed among 14 registrars led by Hostinger Operations UAB, which accounted for six domains. NameSilo LLC administered four domain IoCs; Tucows, Inc. handled three; and R01-RU managed two. One domain each was administered by Dynadot LLC; FastDomain, Inc.; GoDaddy.com LLC; Internet Domain Service BS Corp.; INWX GmbH; NiceNIC International Group Co. Limited; OwnRegistrar, Inc.; PSI-USA, Inc.; Realtime Register; and Registrar.eu. Finally, three domain IoCs didn’t have registrars in their current WHOIS records.
  

  

• The threat actors seemingly preferred to use newly registered domains (NRDs) given that 25 of the domain IoCs were created in 2024. Three of the domains didn’t have creation dates in their current WHOIS records.

• The domain IoCs were registered in five countries led by the U.S., which accounted for 12 domains. The Netherlands took the second spot with three domain IoCs. France, Saint Kitts and Nevis, and Spain accounted for one domain each. Finally, 10 domain IoCs didn’t have registrant countries in their current WHOIS records.

  

• One domain IoC—bunq-app-nl(.)net—had public registrant name and organization data in its current WHOIS record.

IoC List Expansion Findings

We began our search for connected threat artifacts by querying the 28 domains tagged as IoCs on WHOIS History API. The query led to the discovery of 15 email addresses in their historical WHOIS records after duplicates were filtered out. Eight of the email addresses were public.

Reverse WHOIS API queries for the eight public email addresses revealed that they were present in the current WHOIS records of 177 email-connected domains after duplicates and the IoCs were removed.

Next, we conducted DNS lookups for the 28 domains tagged as IoCs and found that they resolved to nine unique IP addresses, eight of which turned out to be associated with various threats according to Threat Intelligence Lookup.

This post only contains a snapshot of the full research. You can download the complete findings and a sample of the additional artifacts found on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.