Jump to content
  • Robin Banks phishing service returns to steal banking accounts

    alf9872000

    • 365 views
    • 3 minutes
     Share


    • 365 views
    • 3 minutes

    The Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.

     

    Robin Banks faced operational disruption in July 2022, when researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank.

     

    Cloudflare immediately blacklisted the platform’s frontend and backend, abruptly stopping ongoing phishing campaigns from cybercriminals paying a subscription for using the PhaaS platform.

     

    A new report from IronNet warns of the return of Robin Banks and highlights the measures its operators have taken to better hide and protect the platform from researchers.

     

    Among the new features are bypassing multi-factor authentication (MFA) and a redirector that helps avoid detection.

    Robin Banks reloaded

    To get their service back online, Robin Bank’s operators turned to DDoS-Guard, a Russian internet services provider with a long history of controversial business exchanges, some of its customers being HamasParlerHKLeaks, and, more recently, Kiwi Farms.

     

    To prevent outsiders from accessing the phishing panel, Robin Banks has now added two-factor authentication for customer accounts.

     

    Additionally, all discussions between core administrators are now done through a private Telegram channel.

    New redirector

    One of the new features that IronNet’s analysts discovered in Robin Banks is the use of ‘Adspect,’ a third-party cloaker, bot filter, and ad tracker.

     

    PhaaS platforms use tools like Adspect to direct valid targets to phishing sites while redirecting scanners and unwanted traffic to benign websites, thus evading detection.

     

    adspect.png

    Adspect functional diagram (adspect.ai)

     

    IronNet comments that Adspect does not advertise itself as a phishing aid; however, its services are promoted on several dark web forums and on Telegram channels dedicated to phishing.

    MFA bypassing

    Robin Banks developers have also implemented the ‘Evilginx2’ reverse proxy for ‘adversary-in-the-middle’ (AiTM) attacks and steal cookies containing authentication tokens.

     

    Evilginx2 is a reverse-proxy tool that establishes communication between the victim and the real service’s server, forwarding login requests and credentials and capturing the session cookie in transit.

     

    This helps the phishing actors bypass the MFA mechanism because they can use the captured cookies to log into an account as if they were the owner.

     

    Robin Banks sells this new MFA-bypassing feature separately, and advertises that it works with Google, Yahoo, and Outlook 'phislets'.

     

    cookie-feature.png

    Promoting the new cookie-stealing feature (IronNet)

     

    The fact that Robin Banks persists by relying exclusively on readily available tools and services proves that PhaaS platforms can be built by anyone determined enough.

     

    The wide availability of these platforms opens the door to less technical cybercriminals, allowing them to launch powerful phishing attacks and bypass MFA to steal valuable accounts.

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...