Robin Banks phishing service returns to steal banking accounts
The Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.
Robin Banks faced operational disruption in July 2022, when researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank.
Cloudflare immediately blacklisted the platform’s frontend and backend, abruptly stopping ongoing phishing campaigns from cybercriminals paying a subscription for using the PhaaS platform.
A new report from IronNet warns of the return of Robin Banks and highlights the measures its operators have taken to better hide and protect the platform from researchers.
Among the new features are bypassing multi-factor authentication (MFA) and a redirector that helps avoid detection.
Robin Banks reloaded
To get their service back online, Robin Bank’s operators turned to DDoS-Guard, a Russian internet services provider with a long history of controversial business exchanges, some of its customers being Hamas, Parler, HKLeaks, and, more recently, Kiwi Farms.
To prevent outsiders from accessing the phishing panel, Robin Banks has now added two-factor authentication for customer accounts. Additionally, all discussions between core administrators are now done through a private Telegram channel.
Robin Banks developers have also implemented the ‘Evilginx2’ reverse proxy for ‘adversary-in-the-middle’ (AiTM) attacks and steal cookies containing authentication tokens. Evilginx2 is a reverse-proxy tool that establishes communication between the victim and the real service’s server, forwarding login requests and credentials and capturing the session cookie in transit.
This helps the phishing actors bypass the MFA mechanism because they can use the captured cookies to log into an account as if they were the owner. Robin Banks sells this new MFA-bypassing feature separately, and advertises that it works with Google, Yahoo, and Outlook ‘phislets’.
The fact that Robin Banks persists by relying exclusively on readily available tools and services proves that PhaaS platforms can be built by anyone determined enough. The wide availability of these platforms opens the door to less technical cybercriminals, allowing them to launch powerful phishing attacks and bypass MFA to steal valuable accounts.
With thanks to the Cyber Defence Alliance and Bleeping Computer. The full story is here: https://www.bleepingcomputer.com/news/security/robin-banks-phishing-service-returns-to-steal-banking-accounts/
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW