The Robin Banks PhaaS platform is back with a new Russian server and a cookie stealer to bypass 2FA and compromise organizational accounts. This article shares the history of Robin Banks, attack patterns, how Robin Banks evolved, the Robin Banks cookie stealer and Russian server, how Robin Banks’s phishing kit works, and how organizations can stay protected against Robin Banks’s phishing.
Robin Banks, a popular PhaaS (Phishing as a Service) platform, has relocated its attack infrastructure after Cloudflare dissociated all threat activity by Robin Banks. The platform has relocated its infrastructure following a multi-day disruption to its services and switched to a Russian provider.
Robin Banks also appears to be developing advanced evasive features into the platform and enhancing its phishing offerings. Here is everything about Robin Banks and how the PhaaS platform has enabled threat actors to rob banks and financial intermediaries.
Robin Banks History: The First Wave of Robin Banks
The PhaaS platform appeared in March 2022 and offered phishing kits to threat actors allowing them to access financial information and carry out malicious activities in the United States, Canada, Australia, and United Kingdom. The platform was discovered by IronNet’s researchers, who outlined how simple it was to register on the malicious platform, requiring only an email and a payment via Bitcoin.
The threat actors are provided with a sophisticated dashboard with multiple features to monitor pages, add funds to wallets, and craft custom phishing kits for as low as $50 a month. Furthermore, the cyber criminals who registered on the platform to create multiple phishing pages got access to future updates and 24/7 support at just $200 a month.
IronNet also shared information regarding a large-scale phishing campaign in June that utilized the Robin Banks platform to target its victims. The campaign targeted victims via emails and SMS to steal Citibank accounts’ login credentials and financial information. Robin Banks also stole Google and Microsoft credentials on phishing pages pointing to advanced threat actors looking to breach organizational networks for malicious activities such as ransomware deployment, data breaches, and more.
How Do Robin Banks Phishing Artists Attack?
Any threat actor using the Robin Banks platform could create single or multiple phishing pages to carry out phishing. For this, the phishing email was sent via SMS or email that contained the phishing link to the fake portal. The page also evaded detection by requiring a reCAPTCHA completion if a potential bot was found.
The victims were redirected to the phishing page with content hosted locally and centrally. The victim’s browser was fingerprinted via the user agent string with the domain sending all form data (POST Method) to the API (Application Programming Interface) of Robin Banks.
Researchers at IronNet observed a phishing attack campaign where threat actors utilized Robin Banks and were able to acquire and sell the information of numerous victims on the dark web and Telegram. The researchers also noticed efforts that the mastermind behind the platform was employing by using AWS, Microsoft, DigitalOcean, Google, Oracle, and Cloudflare.
How has Robin Banks Evolved?
The PhaaS platform has evolved considerably in the last few months:
Robin Banks Changing Its Infrastructure
After IronNet’s researchers discovered Robin Banks and its attack campaigns, engineers at Cloudflare acted swiftly by marking all Robin Bank domains malicious and causing significant disruption in phishing operations utilizing the PhaaS platform.
However, the disruption in phishing attacks was short-lived, with only 3 days of no phishing before the threat actors revised the phishing kit and transformed its infrastructure. To avoid similar takedowns, Robin Banks relocated its entire front-end and back-end infrastructure to DDOS-GUARD.
DDOS-GUARD is a Russian provider that hosts content and phishing websites for threat actors and is the official site for the terrorist group known as Hamas, according to Brian Krebs. This is disturbing news, as the Russian provider has a history of non-compliance with takedown requests.
Robin Banks Changing its Security
Adding to the news, IronNet’s researchers also discovered that Robin Banks transformed its security procedures by enforcing increased security via using 2FA (Two Factor Authentication) to access the Robin Banks GUI (Graphical User Interface). Furthermore, the PhaaS platform provided versatility to the threat actors utilizing it to receive the phishing information on a Telegram bot rather than access it via the GUI.
The developers of the Robin Banks platform also tried to privatize admin conversations, moving them to a separate Telegram channel. However, there were disagreements amongst the platform’s admins, leading one of the admins to turn the private channel into a public one, exposing critical communications, and opening Robin Banks’ primary and private channels to spamming.
How does the Latest Robin Banks Phishing Kit Work?
The Robin Banks phishing kit was analyzed by IronNet’s researchers, who revealed much about the PhaaS platform.
- Deobfuscation: The Robin Banks phishing kit utilizes standard code with two primary index files that are obfuscated using the PHP obfuscator. The first one, “ob.php,” comes from GitHub and is modified for Robin Banks. The deobfuscated code from the file resembles the core constructs of Adspect, a tool used to detect and filter web traffic via blacklisting and ML (Machine Learning) techniques.
- Cookie Stealer: The Robin Banks phishing kit also utilizes a cookie-stealing feature. After the description of the PhaaS platform by IronNet in July, the platform’s developers added a new part of the cookie stealer. The cookie stealer primarily steals login session cookies, allowing threat actors using the phishing kit to bypass 2FA. Robin Banks developers boasted the feature as their “own methodology.” Still, it appears to be a modification of evilginx2, an open-source tool that allowed threat actors to launch AITM (Adversary In The Middle) attacks.
Since MFA (Multi-Factor Authentication) protects organizations and individuals, threat actors continuously look for ways to work around MFA. Robin Banks’ inclusion of the cookie stealer is just a way to entice cybercriminals to turn to the platform to get unauthorized access to accounts, even with MFA enabled.
There is a growing trend amongst threat actors today who are evolving attack methods and tools to bypass MFA using MFA fatigue and cookie stealers. However, organizations and individuals should note that MFA is a significant part of the account security process and must be enforced within the organization.
How to Protect Against Robin Banks Phishing Attacks
Protection against phishing attacks using the Robin Banks platform or any other platform requires multiple but easy steps.
- Communication Alertness: Never click on links contained in SMS or email communication, especially if they require an account to access or take you to login portals.
- Employ Password Managers and MFA: Use password managers to store credentials and implement MFA to ensure threat actors can’t take advantage even if they somehow get access to your credentials.
- Phishing Education and Training: Organizations should regularly provide comprehensive phishing education and phishing awareness training, highlighting the latest attack campaigns so the workforce can quickly identify phishing emails when received.
- Network Monitoring: Organizations should also invest in a good network monitoring and analysis tool to detect suspicious activity and flag phishing emails and websites.
Robin Banks relies heavily on open-source code and can harm individuals as well as organizations alike. The platform’s cookie stealer attempts to attract persistent and significant threat actors to utilize Robin Banks. As more malicious actor groups and platforms are seeing the light of day, organizations must focus on phishing attack prevention and adhere to the best practices mentioned above to protect the confidentiality, integrity, and availability of their information assets.