The Robin Banks phishing-as-a-service (PhaaS) platform made a comeback to steal banking accounts.
The Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.
Back in July 2022, researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank. Since then Robin Banks had been in operational disruption
Cloudflare immediately blacklisted the platform’s frontend and backend, abruptly stopping ongoing phishing campaigns from cybercriminals paying a subscription for using the PhaaS platform.
A new report from IronNet warns of the return of Robin Banks and highlights the measures its operators have taken to better hide and protect the platform from researchers.
To get their service back online, Robin Bank’s operators turned to DDoS-Guard, a Russian internet services provider with a long history of controversial business exchanges, some of its customers being Hamas, Parler, HKLeaks, and, more recently, Kiwi Farms.
Robin Banks has now added two-factor authentication for customer accounts to prevent outsiders from accessing the phishing panel
Additionally, all discussions between core administrators are now done through a private Telegram channel.
One of the new features that IronNet’s analysts discovered in Robin Banks is the use of ‘Adspect,’ a third-party cloaker, bot filter, and ad tracker.
PhaaS platforms use tools like Adspect to direct valid targets to phishing sites while redirecting scanners and unwanted traffic to benign websites, thus evading detection.
Robin Banks developers have also implemented the ‘Evilginx2’ reverse proxy for ‘adversary-in-the-middle’ (AiTM) attacks and steal cookies containing authentication tokens.
Evilginx2 is a reverse-proxy tool that establishes communication between the victim and the real service’s server, forwarding login requests and credentials and capturing the session cookie in transit.
This helps the phishing actors bypass the MFA mechanism because they can use the captured cookies to log into an account as if they were the owner.
Robin Banks sells this new MFA-bypassing feature separately, and advertises that it works with Google, Yahoo, and Outlook ‘phislets’.