Robin flying away with Bitcoin

Robin Banks Phishing Service Is Back to Steal Banking Information

Robin Banks, a phishing-as-a-service (PhaaS) platform, that Cloudflare blocked due to criminal activities, is back in operation with a Russian service provider and new capabilities to make it easier to breach security protocols.

Robin Banks experienced operational instability in July 2022 when IronNet researchers revealed the system as a highly dangerous phishing service. It described a threat group that was offering phishing kits to online criminals, who then used those tools to steal login information and financial information from people in the UK, the US, Australia and Canada.

On fake landing pages, it was found that visitors were being requested to enter their Google and Microsoft credentials. The malware was revealing an effort on the part of its creators to get early access to company networks to conduct post-exploitation activities like ransomware and spying.

A recent report from IronNet alerts readers to the possible return of Robin Banks and outlines the steps its administrators have made to more efficiently compromise networks. Multi-factor authentication (MFA) bypassing and a redirector that helps in preventing discovery are two of the new features.

According to researchers:

This hosting service is also known for failing to respond with removal requests, making it more accessible to threat actors.

Robin Banks’ New Approach and Modification:

The Robin Banks actor has moved its frontend and backend to DDoS-Guard because of Cloudflare’s decision to blocklist its network in the light of public discovery. The famous Kiwi Farms and the alternative social network Parler were once hosted there.

The utilisation of “Adspect,” a third-party cloaker, bot filter, and ad tracker, is one of the new elements that IronNet’s investigators found in Robin Banks. Adspect is one of the technologies that PhaaS platforms use to send valid targets to phishing websites while deflecting crawlers and irrelevant traffic to trusted domains. This helps them avoid being discovered.

Adspect traffic flow diagram technique used by robin banks
Adspect traffic flow diagram (adspect.ai)

IronNet claims Adspect does not openly market itself as a phishing help, its services are featured on several dark web forums and Telegram channels focused to phishing.

For adversary-in-the-middle attacks to steal these cookies that hold authentication tokens, the Robin Banks developers additionally used the Evilginx2 reverse proxy. A connection is established between the user and the actual service server using the reverse-proxy tool. In this manner, the login request and credentials that capture session cookies en route are forwarded.

To enter into an account while spoofing the owner, phishing actors may now get through MFA restrictions. They do this by using cookies that have been gathered by specialist tools. These services are available for feature-specific separate sale. Because they only consume resources that are easily available, Robin Banks’ operators can continue their business.

Robin Banks’ ability to continue using freely accessible tools and services is proof that anyone with enough determination may develop PhaaS platforms. Because they can conduct phishing attacks, get beyond MFA, steal login information for valuable services, and withdraw money from accounts thanks to this accessibility, sites like these might be used by less skilled and unskilled cybercriminals.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts