A newly identified phishing-as-a-service (PhaaS) platform dubbed Spiderman is enabling cybercriminals to run large-scale, highly convincing phishing campaigns against users of European banks, fintech platforms and cryptocurrency wallets. According to researchers at Varonis, this criminal service is designed to steal not only usernames and passwords, but also two‑factor authentication (2FA) codes, payment-card details and crypto wallet seed phrases.
What Is Spiderman PhaaS and Why It Matters for Online Banking Security
PhaaS platforms turn phishing into an industrialised, subscription-based business. Instead of building infrastructure themselves, threat actors rent ready-made toolkits that handle everything from hosting fake pages to collecting stolen data. Spiderman belongs to this new generation of phishing frameworks, providing an end‑to‑end environment for orchestrating financial fraud.
The platform automates the cloning of legitimate login pages and manages the entire attack chain: redirection of victims to phishing sites, real-time credential harvesting and structured export of captured data through a web-based control panel. This significantly lowers the entry barrier for less technical criminals while raising the quality and believability of phishing pages.
Target Scope: European Banks, Fintech Services and Crypto Wallets
Varonis reports that Spiderman primarily targets customers of major European financial institutions across at least five countries. Among the brands impersonated are Deutsche Bank, ING, Comdirect, Blau, O2, CaixaBank, Volksbank, Commerzbank and other regional banks. For each institution, operators can deploy tailored phishing templates that closely resemble the official online banking interfaces.
The campaigns are not limited to traditional banks. Spiderman supports templates for well-known fintech and payment services such as Klarna and PayPal. In parallel, the platform includes dedicated modules for cryptocurrency users, enabling theft of seed phrases and wallet credentials from solutions like Ledger, MetaMask, Exodus and similar products.
This broad coverage means a single phishing engine can compromise virtually all types of financial assets—from current accounts and credit cards to high‑value crypto holdings—dramatically increasing the potential financial impact of a successful campaign.
Key Spiderman Features: Real-Time Session Hijacking and Precise Targeting
Real-Time Interception of 2FA, PhotoTAN and Card Data
A core differentiator of Spiderman compared with basic phishing kits is its real-time operator panel. Attackers can watch victims interact with the fake login page as it happens, allowing them to intercept:
- online banking and fintech usernames and passwords;
- one-time passwords (OTP) sent via SMS or generated in authenticator apps;
- transaction confirmation codes, including hardware token responses;
- payment card data (number, expiry, CVV).
Notably, the platform explicitly supports attacks against PhotoTAN, a visual OTP scheme widely used by European banks. In a standard PhotoTAN flow, the bank displays a coloured mosaic that is scanned by a mobile app, which then generates a one-time code tied to a specific transaction. Spiderman imitates this process, tricking the user into scanning a malicious visual code and entering the resulting OTP, which is then captured and reused by the attacker to authorise fraudulent operations.
Advanced Targeting by Country, Network and Device
Through the management console, Spiderman operators can finely tune which visitors are actually attacked. The PhaaS platform allows criminals to:
- restrict phishing campaigns to specific countries or mobile carriers;
- maintain “allow lists” of ISPs or organisations that should never see the phishing pages, reducing exposure to regulators and security researchers;
- filter by device type, for example focusing only on mobile or only on desktop users;
- configure smart redirects that send unwanted visitors to legitimate websites, decreasing suspicion.
This level of control turns Spiderman into a powerful tool for targeted financial phishing, helping criminals maximise conversion rates while minimising the chances of early detection.
Modular Architecture and Alignment with PSD2/SCA Evolution
Analysis by Varonis suggests that Spiderman is built on a modular architecture. New banks, portals and authentication flows are added as separate modules, which can be swapped or updated as needed. As European financial institutions continue to modernise their online banking platforms and comply with PSD2 Strong Customer Authentication (SCA) requirements, this modularity allows Spiderman’s operators to quickly adapt phishing templates to new user interfaces and security flows.
Industry data underscores the risk. The Verizon 2024 Data Breach Investigations Report again highlights phishing and credential theft as dominant initial access vectors, while ENISA’s threat landscape reports consistently identify phishing as a top threat to EU organisations. PhaaS offerings like Spiderman amplify this problem by commoditising advanced phishing capabilities that previously required specialist skills.
How Users and Organisations Can Defend Against Spiderman PhaaS
Despite its technical sophistication, Spiderman still relies on a familiar weakness: the victim must voluntarily click a malicious link and enter their data on a fake page. Strengthening basic digital hygiene remains one of the most effective defences against such attacks.
Recommended measures for individual users include:
- Carefully verify the domain name in the browser address bar before entering passwords or 2FA codes, especially when following links from SMS, email or messengers.
- Avoid logging in via links in messages claiming to be from a bank or payment service. Manually type the URL or use saved bookmarks.
- Watch for “browser-in-the-browser” (BiTB) tricks that mimic pop-up login windows. If the window behaves like part of the page rather than a separate browser instance, treat it as suspicious.
- Use a password manager, which will autofill credentials only on the exact domains they are saved for, making it harder to submit passwords to look-alike sites.
- Prefer FIDO2 security keys or hardware tokens where possible; these bind the authentication process cryptographically to the legitimate domain, making OTP interception attacks significantly harder.
For organisations, especially in the financial sector, effective countermeasures include secure email gateways with advanced phishing detection, continuous employee phishing simulations, user awareness programmes, and monitoring for anomalous login and transaction patterns. Close cooperation with threat intelligence providers to detect and rapidly take down phishing infrastructure is also critical.
The emergence of Spiderman and similar phishing-as-a-service platforms illustrates how quickly the criminal ecosystem is adapting to the digital transformation of banking and crypto services. Sustained investment in layered technical controls, user education and rapid incident response, combined with simple practices like sceptical verification of every login request and 2FA prompt, can significantly reduce the attack surface and limit the effectiveness of such industrialised phishing operations.
