Robin Banks Phishing Service for Cybercriminals Returns with Russian Server

Cyber Security

A phishing-as-a-service (PhaaS) platform known as Robin Banks has relocated its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services.

The switch comes after “Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations,” according to a report from cybersecurity company IronNet.

Robin Banks was first documented in July 2022 when the platform’s abilities to offer ready-made phishing kits to criminal actors were revealed, making it possible to steal the financial information of customers of popular banks and other online services.

It was also found to prompt users to enter Google and Microsoft credentials on rogue landing pages, suggesting an attempt on part of the malware authors to monetize initial access to corporate networks for post-exploitation activities such as espionage and ransomware.

In recent months, Cloudflare’s decision to blocklist its infrastructure in the wake of public disclosure has prompted the Robin Banks actor to move its frontend and backend to DDoS-Guard, which has in the past hosted the alt-tech social network Parler and the notorious Kiwi Farms.

“This hosting provider is also notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors,” the researchers noted.

Chief among the new updates introduced is a cookie-stealing functionality, in what’s seen as an attempt to serve a broader clientele such as advanced persistent threat (APT) groups that are looking to compromise specific enterprise environments. It’s offered for $1,500 per month.

This is achieved by reusing code from evilginx2, an open source adversary-in-the-middle (AiTM) attack framework employed to steal credentials and session cookies from Google, Yahoo, and Microsoft Outlook even on accounts that have multi-factor authentication (MFA) enabled.

Robin Banks is also said to have incorporated a new security measure that requires its customers to turn on two-factor authentication (2FA) to view the stolen information via the service, or, alternatively, receive the data through a Telegram bot.

Another notable feature is its use of Adspect, an ad fraud detection service, to redirect targets of phishing campaigns to rogue websites, while leading scanners and unwanted traffic to benign websites to slip under the radar.

The findings are just the latest in a series of new PhaaS services that have emerged in the threat landscape, including Frappo, EvilProxy, and Caffeine, making cybercrime more accessible to amateur and experienced bad actors alike.

What’s more, the improvements also illustrate the growing need for threat actors to rely on different methods such as AiTM and prompt bombing (aka MFA fatigue) – as recently observed in the case of Uber – to circumvent security measures and gain initial access.

“The infrastructure of the Robin Banks phishing kit relies heavily on open-source code and off-the-shelf tooling, serving as a prime example of the lowering barrier-to-entry to not only conducting phishing attacks, but also to creating a PhaaS platform for others to use,” the researchers said.