

True Login phishing kits are continuously being developed by threat actors to improve their TTPs in luring victims. By using true login kits, the phishing operators have a higher chance of making potential victims believe they are logging into the real website. True login kit developers are abusing publicly available APIs of the banking company to be able to query login information to be shown to potential victims, in turn luring the victim even further into the operations.
Theoretically, the steps to obtain and develop a True Login phishing kit are:
Upon deployment of a phishing website using the true login kit, the following steps will take place:
Cyberint has obtained some True login kits and below are obfuscated code snippets that show kits
abusing APIs.
Cyberint recommends running a security scan on APIs that are used in mobile and online banking.
Furthermore, it is recommended to secure the APIs further by adding validation check to all the
queries and connection to the APIs.