Robin Banks, the phishing-as-a-service (PHaaS) platform that was kicked off Cloudflare for malicious activity, is back in action with a Russian service provider and new tools to make it easier to bypass security measures.
IronNet’s Threat Research unit first wrote about Robin Banks in July, detailing a threat group that was selling phishing kits to cybercriminals who then would use those tools to steal credentials and financial data of people in the US, the UK, Canada, and Australia.
Additionally, the attackers worked to steal Google and Microsoft credentials, indicating Robin Banks was also interested in establishing initial access that could then be used by other cybercriminals for advanced attacks like ransomware.
The crew has been operating since at least March 2022, researchers said. A major campaign in July targeted information relating to Citibank and Microsoft.
The operators behind Robin Banks have since moved their infrastructure to DDoS-Guard, a Russian service provider known for hosting phishing and other criminal activities, IronNet researchers write in a report this week.
In addition, DDoS-Guard has hosted conspiracy theory content from the likes of Qanon and 8chan as well as the official site for the Hamas terrorist group.
“This hosting provider is also notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors,” they write.
Irony: Criminals say customers need 2FA to access crimekit
Along with finding a new host, the Robin Banks crew is upping the security of its own platform while offering new tools aimed at getting around cybersecurity like two-factor (2FA) and multifactor authentication (MFA).
To reduce the possibility of someone hacking the platform, Robin Banks now requires 2FA for kit customers who want to view phished information through the group’s main GUI. If they don’t want to adopt 2FA, the kit buyers can choose to have the phished data sent to a Telegram bot.
Robin Banks operators created a separate private Telegram channel to keep outsiders from snooping on private administrator conversations about the platform. However, a dispute within the group led to an angry administrator making the private channel public and the target of cybercriminal-related spam.
The expanded phishing kit includes two files of obfuscated code that IronNet researchers were able to read after applying the open-source PHP obfuscator script. Much of the codebase was used for Adspect, a bot filter and ad tracker designed to detect and filter unwanted visitors.
PHaaS providers like Robin Banks use Adspect and similar tools to ensure victims are redirected to malicious sites and to send scanners and unwanted traffic to benign websites to reduce detection.
Robin Banks also introduced a cookie-stealing capability to bypass 2FA and MFA protections using a tool that IronNet researchers said appears based on the open-source evilginx2 that is used to launch adversary-in-the-middle attacks through a pre-built framework. Attackers can use the framework to phish for login credentials and cookies – or authentication tokens – enabling them to bypass 2FA and MFA on platforms like Google, Yahoo, and Microsoft Outlook.
Robin Banks may be using the cookie-stealing capability to broaden its customer base to include more advanced persistent threat (APT) groups looking to compromise specific targets.
The operators sell this feature for $1,500 a month, much more than that $200 monthly fee for Robin Banks’ full access phishing kit.
The evolution of the PHaaS platform highlights the growing threat of less-skilled cybercriminals and their easy access to low-cost options for launching attacks, the IronNet researchers write.
The PHaaS market is becoming increasingly saturated, putting pressure on developers to come out with new tools and to create ways to bypass security measures, such as cookie stealing and MFA fatigue.