A Russian internet corporation is hosting the infrastructure for the Robin Banks phishing-as-a-service (PhaaS) platform, which offers defense against distributed denial-of-service (DDoS) attacks. When IronNet researchers revealed Robin Banks’ platform as an extremely dangerous phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank in July 2022, Robin Banks experienced operational difficulty.
Cybercriminals paying a subscription to use the PhaaS platform unexpectedly stopped their ongoing phishing attempts when Cloudflare automatically banned the frontend and backend of the site. A recent report from IronNet alerts readers about the potential reappearance of Robin Banks. It describes the steps its administrators have taken to better conceal and safeguard the platform from researchers. Two new features are a redirector that aids in avoiding detection and evading multi-factor authentication (MFA).
The operators of Robin Bank went to DDoS-Guard, a Russian internet service company with a lengthy history of contentious business dealings; among its clients were Hamas, Parler, HKLeaks, and, more recently, Kiwi Farms, to get their service back up. For customer accounts, Robin Banks has now enabled two-factor authentication to prevent unauthorized users from accessing the phishing panel. Additionally, a private Telegram channel is now used for all conversations amongst core admins.
IronNet’s experts identified the usage of “Adspect,” a third-party cloaker, bot filter, and ad tracker, as one of Robin Banks’ novel features. PhaaS platforms evade detection by sending legitimate targets to phishing sites while diverting scanners and unwanted traffic to legitimate websites. Adspect does not pitch itself as a phishing assist, but according to IronNet, its services are advertised on several dark web forums and Telegram channels devoted to phishing.
In order to protect against “adversary-in-the-middle” (AiTM) attacks and to steal cookies holding authentication tokens, the creators of Robin Banks have additionally included the “Evilginx2” reverse proxy. A reverse-proxy program called Evilginx2 connects the victim and the server of the genuine service, relaying login requests and credentials while intercepting the session cookie in transit. This helps phishing actors get around the MFA mechanism because they can enter into an account as the account owner using the acquired cookies.
This new MFA-bypassing technology, which Robin Banks offers separately, claims to work with “phislets” from Google, Yahoo, and Outlook. Robin Banks continues to build PhaaS systems only using free tools and services, showing that anyone with motivation can do it. Because these platforms are so widely accessible, less technically skilled hackers can use them to run effective phishing attacks and get through MFA to steal important accounts.
