⬇️
Spiderman Phishing Service Expands Its Reach Across European Banks
Key Takeaways
- Varonis researchers detail a modular phishing kit, “Spiderman,” used to mimic dozens of European banking and fintech portals.
- The service enables real-time credential capture, OTP interception, and crypto wallet seed‑phrase theft.
- Targeted enterprises face heightened account‑takeover and fraud risks as operators refine geographic and device‑based filtering.
A new phishing kit named Spiderman is circulating widely among cybercriminals and, according to researchers at Varonis, it’s already being used to target customers of major European banks, telecoms, and cryptocurrency services. The tool’s appeal is obvious: it produces pixel‑perfect replicas of legitimate login pages and funnels victims through highly convincing flows that capture credentials, two-factor authentication codes, and even credit card details. It’s the kind of kit that reminds security teams how quickly professionalized phishing infrastructure evolves.
Researchers say Spiderman currently includes templates for services in five European countries, covering household names such as Deutsche Bank, ING, Comdirect, Blau, O2, CaixaBank, Volksbank, and Commerzbank. It doesn’t stop there. The team also saw phishing pages impersonating fintech portals like Klarna and PayPal, along with traps designed to harvest seed phrases for Ledger, MetaMask, and Exodus wallets. That last part is worth pausing on. Seed‑phrase theft isn’t new, but when it sits alongside banking templates in the same kit, it signals a convergence in attacker workflows that financial institutions have been anticipating for years.
Even so, the core appeal for operators appears to be the kit’s modularity. Varonis notes that new banks, authentication paths, and localization variants can be added quickly, which means the tool can track alongside changes to e‑banking flows. A small detail, but it tells you a lot about how these fraud ecosystems operate: they adapt in weeks, not quarters. And that creates a headache for security leaders who are already contending with credential‑phishing fatigue across their user base.
Spiderman isn’t some boutique tool, either. One group associated with the kit reportedly runs a Signal channel with 750 members. That’s a sizable distribution footprint for a phishing operation focused on financial services. It also means the kit’s templates and flows are likely being exercised by a wide range of operators, from opportunistic actors to more structured fraud crews.
From its dashboard, operators can watch victim sessions live, capture inputs in real time, export collected data with a single click, and intercept PhotoTAN or other one‑time passcodes as they appear. The real‑time interception capability is particularly concerning for banks that rely on PhotoTAN systems. These systems work by presenting a colored mosaic during login or transaction approval. Users scan the mosaic with their banking app, which decodes it and displays an OTP for the user to re‑enter. It’s a clever flow meant to ensure that transactions are tied to a specific action, but phishing kits have been working around such mechanisms for years. Spiderman simply packages that workaround neatly for less‑skilled actors.
There’s also a targeting layer that lets operators restrict campaigns by country, ISP, device type, or other filters. If a visitor doesn’t meet the criteria, the kit can redirect them to legitimate sites to avoid burning the lure. That raises an interesting question for defenders: how many campaigns evade detection because the phishing infrastructure silently discards security‑research traffic? It’s an uncomfortable reminder that discovery bias shapes threat‑intel visibility more than most teams admit.
This kind of filtering also makes the campaigns feel more “native” to victims. A mobile‑only phish landing on a mobile device, after passing through an ISP allowlist, avoids many of the cues users rely on to detect fraud. And yet the broader point remains unchanged. All of these operations still depend on a victim clicking a malicious link. Spiderman might polish the workflow, but it can’t remove the human decision at the top.
Varonis warns that data collected through the kit can lead to banking account takeover, SIM swapping, credit card fraud, and identity theft. None of these outcomes are surprising; they’re the standard playbook once attackers obtain credentials and OTP access. But the breadth of data Spiderman collects—banking details, crypto information, and identity documents—creates a single pipeline that fraud crews can monetize in multiple ways. It’s the operational efficiency that makes these kits dangerous, not just their technical tricks.
From a business and technology standpoint, this raises obvious implications. Financial institutions have been pushing customers toward stronger authentication flows, mobile app approval steps, and encrypted messaging channels. But phishing kits like Spiderman aim directly at those processes and, in some cases, neutralize their value by capturing the required data in real time. The question for enterprise fraud teams becomes: where do you add friction or behavioral analysis without destabilizing user experience?
There’s also the matter of detection. Some banks are already experimenting with domain‑reputation algorithms and automated takedown flows, but those tools have a hard time keeping pace with modular kits that can spin up new templates rapidly. And because the phishing pages are so accurate, standard user‑awareness training doesn’t always land. People memorize logos, colors, and layout cues. Spiderman replicates all of them.
One practical takeaway sits in the source's closing advice: if a user receives an SMS or PhotoTAN prompt without initiating a transaction, it’s a strong indicator of account takeover. That sounds obvious, but in busy environments, this is the kind of signal employees or consumers often overlook. It might be one of the few early warnings institutions can rely on today.
For now, the defensive guidance remains straightforward. Confirm domains, question unexpected authentication prompts, and treat browser‑in‑the‑browser windows with suspicion. Not glamorous advice, but it’s the layer that keeps phishing kits—no matter how polished—from achieving their goal.
