HQ/EMEAFind out how we can help your business
Recent reports show that the phishing-as-a-service (PhaaS) platform dubbed Robin Banks returns after facing operational disruption last July, with a new infrastructure hosted by an internet firm in Russia.
In July 2022, Robin Banks’ operations were exposed by security researchers, resulting in their front-end and back-end being blacklisted. The malicious platform has targeted many financial institutions, including Bank of America, Citibank, Capital One, Commonwealth Bank, Wells Fargo, PNC, US Bank, Santander, and Lloyds Bank.
Alerts about the Robin Banks PhaaS in the threat landscape have been put out, with experts saying that its operators have enhanced their obfuscation capabilities.
Aside from their enhanced anti-detection capabilities, the platform’s operators can now bypass MFA (multi-factor authentication), which is a grave threat to all its targets.
Security researchers revealed that the Robin Banks PhaaS had used DDoS-Guard as their infrastructure this time, an internet service provider headquartered in Russia. DDoS-Guard protects its clients from DDoS attacks and has a history of controversial servicing to cybercriminal clients, including Kiwi Farms and HK Leaks.
A two-factor authentication system has been implemented by the PhaaS platform to prevent non-clients from accessing the phishing panel, and have set up a private Telegram channel to communicate all discussions with core admins.
Moreover, Robin Banks PhaaS have also used Adspect, a traffic filtering service that can detect bots, ads, and cloaking or restricting access to a website at the sole discretion of the site’s owner. With Adspect, the operators can redirect victims to phishing sites while forwarding scanners and unwanted website traffic to safe websites, allowing them to evade security detection.
While Adspect is not intended to help phishing operators in their campaigns, its services are commonly promoted in underground forums and on malicious Telegram channels.
For the adversary-in-the-middle (AiTM) attacks, Robin Banks PhaaS used the Evilginx2 reverse proxy to establish communication between the victim and the authentic service’s server, subsequently forwarding login requests and user credentials and collecting session cookies in transit. The tool helps the operators to bypass MFA by using the collected cookies to log into a victim’s account.
Experts say that even newbie cybercriminals can establish their campaigns these days, considering how Robin Banks PhaaS mostly used readily available tools to execute their operations. Because of this, cybersecurity experts have become concerned about the wide availability of tools that can help cybercriminals, even those that are less technical.
