Robin Banks Phishing Services Heads Back to Steal Banking Accounts

Robin Banks Phishing Services Heads Back to Steal Banking Accounts

A Russian internet corporation is hosting the infrastructure for the Robin Banks phishing-as-a-service (PhaaS) platform, which offers defense against distributed denial-of-service (DDoS) attacks. When IronNet researchers revealed Robin Banks’ platform as an extremely dangerous phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank in July 2022, Robin Banks experienced operational difficulty.

Cybercriminals paying a subscription to use the PhaaS platform unexpectedly stopped their ongoing phishing attempts when Cloudflare automatically banned the frontend and backend of the site. A recent report from IronNet alerts readers about the potential reappearance of Robin Banks. It describes the steps its administrators have taken to better conceal and safeguard the platform from researchers. Two new features are a redirector that aids in avoiding detection and evading multi-factor authentication (MFA).

The operators of Robin Bank went to DDoS-Guard, a Russian internet service company with a lengthy history of contentious business dealings; among its clients were HamasParler, HKLeaks, and, more recently, Kiwi Farms, to get their service back up. For customer accounts, Robin Banks has now enabled two-factor authentication to prevent unauthorized users from accessing the phishing panel. Additionally, a private Telegram channel is now used for all conversations amongst core admins.

IronNet’s experts identified the usage of “Adspect,” a third-party cloaker, bot filter, and ad tracker, as one of Robin Banks’ novel features. PhaaS platforms evade detection by sending legitimate targets to phishing sites while diverting scanners and unwanted traffic to legitimate websites. Adspect does not pitch itself as a phishing assist, but according to IronNet, its services are advertised on several dark web forums and Telegram channels devoted to phishing.

In order to protect against “adversary-in-the-middle” (AiTM) attacks and to steal cookies holding authentication tokens, the creators of Robin Banks have additionally included the “Evilginx2” reverse proxy. A reverse-proxy program called Evilginx2 connects the victim and the server of the genuine service, relaying login requests and credentials while intercepting the session cookie in transit. This helps phishing actors get around the MFA mechanism because they can enter into an account as the account owner using the acquired cookies.

This new MFA-bypassing technology, which Robin Banks offers separately, claims to work with “phislets” from Google, Yahoo, and Outlook. Robin Banks continues to build PhaaS systems only using free tools and services, showing that anyone with motivation can do it. Because these platforms are so widely accessible, less technically skilled hackers can use them to run effective phishing attacks and get through MFA to steal important accounts.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: