A sophisticated new phishing framework dubbed “Spiderman” has emerged in the cybercrime underground, dramatically lowering the barrier to entry for financial fraud.
This toolkit, observed by Varonis, allows threat actors, even those with minimal technical skill, to spin up pixel-perfect replicas of legitimate banking portals in just a few clicks.
The kit targets customers of dozens of European financial institutions and cryptocurrency platforms explicitly, signaling a dangerous evolution in automated cybercrime tools.
What sets Spiderman apart from standard, single-target phishing scripts is its professional-grade architecture and extensive automation. It functions as a full-stack framework where attackers no longer need web development expertise or coding knowledge to launch campaigns.
The kit consolidates targeting for dozens of major brands, including Deutsche Bank, Commerzbank, ING (Germany & Belgium), and CaixaBank, into a single, cohesive interface.
This level of polish follows a concerning trend of feature-packed tools like SpamGPT and MatrixPDF that are making widespread attacks increasingly accessible. In practice, Spiderman reduces the complex process of bank phishing to a simple selection menu.
Cybercriminals simply pick a target institution, click “Index This Bank,” and the kit automatically generates a convincing clone complete with login fields, password prompts, and brand-specific aesthetics.
This efficiency enables attackers to pivot between regions and brands quickly, maintaining a broad “web” of attacks across multiple countries simultaneously.
The technical sophistication of the kit is most evident in its handling of modern security measures and live session management. Spiderman includes modules designed to bypass two-factor authentication (2FA) by capturing PhotoTAN codes and One-Time Passwords (OTPs) in real time.
As the victim enters credentials on the fraudulent page, the operator can view the session live through a dashboard. This allows the attacker to trigger additional prompts instantly, asking the victim for credit card numbers, expiration dates, or secondary authentication codes needed to authorize fraudulent transactions, Varonis said.
Furthermore, the kit employs advanced anti-analysis filtering to evade detection by security researchers and automated scanners. Attackers can configure the platform to strictly allow traffic from specific countries or device types (such as iOS or Android) while blocking known security vendors, data centers, and VPNs.
By filtering out unwanted visitors, the phishing pages remain active longer before being blacklisted by browser vendors.
The threat landscape is further complicated by the kit’s support for cryptocurrency theft. Modules specifically designed to capture seed phrases for wallets like Ledger, MetaMask, and Exodus indicate that operators are pursuing a hybrid fraud strategy targeting both traditional banking and digital assets.
The distribution of this tool is already widespread. A Signal messenger group linked to the seller behind Spiderman currently hosts roughly 750 members, suggesting a sizable and active community.
As European financial institutions continue to update their e-banking flows, modular kits like Spiderman are expected to evolve in parallel, requiring heightened vigilance from both banking security teams and customers regarding URL verification and authentication requests.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
