Robin Banks Phishing-as-a-Service Platform Evolves Security Matters

Phishing-as-a-Service (PhaaS) platform Robin Banks migrated its infrastructure to DDoS-Guard, a Russian bulletproof hosting service.

Phishing-as-a-Service (PhaaS) platform Robin Banks was initially hosted by the Cloudflare provider, but the company separated the Robin Banks phishing infrastructure from its services in July after being told it was.

The move led to a multi-day outage in PhaaS operations, followed by several changes by platform administrators, including a move to the notorious Russian Bulletproof hosting provider.

DDOS-GUARD also hosts content for conspiracy theory campaigns QAnon and 8chan, as well as the official website of the Hamas terrorist group, according to popular investigator Brian Krebs. Providers never comply with takedown requests from law enforcement agencies.

Experts at cybersecurity firm IronNet noted that the operator behind Robin Banks has also added a new cookie-stealing feature that customers can purchase as an add-on to a phishing kit. This feature allows crooks to order this feature to bypass multi-factor authentication (MFA) in their campaigns.

The price for this feature is $1,500 per month, while full access to Robin Bank is $200 per month.

Robin Banks, first profiled in July 2022, relies heavily on open source code and off-the-shelf tools.

“In addition to migrating their infrastructure to DDOS-GUARD, Robin Banks has also started to tighten security on the platform, likely due to concerns that someone might hack their admin interface. This includes implementing and requiring two-factor authentication (2FA) , so that suite customers can view phishing messages through the main GUI.” Read a report published by security firm IronNet. “However, if they don’t want to implement 2FA, customers can choose to send the phishing message to the Telegram bot instead of accessing it through the Robin Banks GUI.”

The experts looked at three common phishlets included in the distribution, namely Google, Yahoo, and Outlook. Phishlet is a configuration file used to proxy legitimate websites to phishing sites, primarily used by the evilginx2 phishing kit.

Robin Banks customers can view stolen data through the service by enabling two-factor authentication (2FA) or through the Telegram bot.

“In addition to migrating their infrastructure to DDOS-GUARD, Robin Banks has also started to tighten security on the platform, likely due to concerns that someone might hack their admin interface. This includes implementing and requiring two-factor authentication (2FA) , so that suite customers can view phishing information through the main GUI.” Continue posting. “However, if they don’t want to implement 2FA, customers can choose to send the phishing message to the Telegram bot instead of accessing it through the Robin Banks GUI.”

Once researchers deobfuscated the core of the phishing kit, experts discovered that it borrowed code from a third-party ad fraud detection service called Adspect.

Adspect allows the detection and filtering of unwanted visitors from web traffic through blacklisting, fingerprinting and machine learning techniques.

Adspect allows to ensure that targets of phishing campaigns are redirected to malicious websites, while scanners and unwanted traffic are redirected to benign websites to avoid detection.

“Robin Banks’ heavy reliance on open source code and off-the-shelf tools shows how low the barrier to entry is to not only conduct phishing attacks, but also become a service provider and create a PhaaS platform for others to use. Make such a toolkit and charge a few Hundreds to thousands of dollars for others to use it doesn’t require a lot of complexity.” Ends this post. “Therefore, the increasing use of different web tools to host cybercriminal platforms has raised concerns as cybercrime becomes more accessible and a labor-saving option for quick profits.”

Other new PhaaS services have made headlines recently, including Caffeine, EvilProxy, and Frappo, attracting a growing number of malicious actors in the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(security affairs Hacker, Robin Banks)




Leave a Reply

Your email address will not be published. Required fields are marked *