Robin flying away with Bitcoin

“Robin Banks” a new phishing attack targeting Wells Fargo and Citi

The “Robin Banks” phishing as a service (PhaaS) platform has recently been unveiled. The site provides pre-made phishing kits that are designed for users of well-known banks and internet businesses.

Phishing kits are available to online criminals looking to buy the financial data of Americans as well as residents of the U.K., Australia, and Canada. The primary targets include Capital One, Citibank, Bank of America, Wells Fargo, U.S. Bank, PNC, Lloyds Bank, Santander and the Commonwealth Bank of Australia.

Phishing kits are collections of files that have already been assembled to include all the code, images, and configuration files required to build a phishing page. They often have features that are simple to implement and reuse, such as curated databases of targets or branded email templates.

In addition, Robin Banks provides templates for stealing Netflix, T-Mobile, Microsoft, and Google accounts.

Midway through June, IronNet analysts uncovered a fresh, extensive campaign that was using the Robin Banks platform to send SMS and email messages to victims. The goal was to get access to Microsoft account credentials, Citibank account credentials, and financial data related to Citibank.

Robin Banks is robbing your bank

A cybercriminal organisation that has reportedly been operating since March 2022 has a new initiative called Robin Banks. It was designed for quickly creating excellent phishing websites that target clients of significant banks.

A login with an email address and password must be created to access the robinbanks[.]in website, and payment must be made with Bitcoin. Customers first see the site’s well-designed dashboard, which includes a sidebar with tools to create a new page, keep track of existing sites, and add money to the wallet. Customers can also access a wide range of choices from which to create a unique phishing kit at this location.

Robin Banks Dashboard and sidebar
Robin Banks sidebar and dashboard (IronNet)

Additionally, the platform offers customers choices like adding reCAPTCHA to prevent bots or monitoring user agent strings to exclude certain users from highly focused ads. Cybercriminals can select from a wide range of brands when creating a kit through Robin Banks in order to copy and attack bank clients.

Robin Banks Customisation
Selecting a bank to phish (IronNet)

Compared to 16Shop and BulletProftLink, the Robin Banks website has an advanced yet user-friendly webGUI. These two well-known phishing kits are likewise significantly more costly than Robin Banks.

In order to reflect changes in the targeted entities’ design and colour scheme, the new PhaaS platform is continually introducing new templates and upgrading the ones that already exist. Due of these benefits, Robin Banks has gained a great deal of popularity among hackers during the past several months.

A Persistent Effort

One operation involved sending a Smishing attack about “strange usage” of debit cards to Citibank customers by a Robin Banks operator. This campaign’s goal was to get access to Microsoft account credentials as well as Citibank account information and financial details.

Smishing Message
Smishing Message Attack (IronNet)

Victims are directed to a phishing page where their personal information is demanded by clicking the offered link to remove the alleged security restrictions. When a victim visits a phishing website, their browser is fingerprinted to establish whether they are using a desktop or a mobile device, and the relevant web page version is loaded.

A POST request is issued to the Robin Banks API as soon as the victim fills out all the form fields on the phishing website. Both the campaign operator’s and the victim’s unique tokens are contained in this website.

Post request To Stolen data
An example of a POST request with phished data (IronNet)

It is clear from examining the network packets that the quantity of POSTs is affected by the number of different pages that the victim is visited and have requests for data made of them. The threat actors‘ management interface allows them to inspect the POST data after it has been posted to the API. They can now choose to immediately share the info to their own Telegram channel.

Investigations revealed that this campaign has been an amazing success. Account information for several victims was sold on the dark web and through multiple Telegram groups.


Internet users are not likely to benefit from the development of a new, high-quality PhaaS platform. Because it encourages low-skill cybercriminals to engage in phishing and increases the barrage of difficult communications.

You must use a complex strategy to guard both yourself and your business against falling for phishing emails. A key step is to turn on 2FA for all of your accounts and use a personal phone number to get one-time passwords. Never click on unverified links provided over SMS or email, and always double-check the authenticity of the website you’ve just landed on if you want to protect yourself from these malicious attacks.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts