Robin Banks service renewed for stealing banking accounts

Phishing services for cybercriminals return to operations with a Russian server host

The platform used by other cybercriminals reopens its services

Robin Banks phishing-as-a-service platform is again in action and now hosting the infrastructure via the Russian internet company that offers protection against distributed denial-of-service attacks. The service got disrupted in July 2022 when researchers found that the platform targets various companies like Bank of America, Capital One, Wells Fargo, and Commonwealth Bank.^[1]

It was blacklisted after these reports and exposure,^[2] so the platforms' frontend and backend disruption stopped these ongoing phishing operations. Many cybercriminals were paying a subscription for using this PhaaS^[3] platform, so their campaigns failed.

New findings show that platform creators want to protect and improve their services with these new additions and releases.^[4] The company relocated the attack infrastructure with the DDoS-Guard and bulletproof hosting services. Operators want to hide and protect the platform from researchers better. Other new features also include bypassing the multi-factor authentication and redirector that helps avoid detection and reverse engineering.

Multi-day disruption after the first release

Robin Banks was first revealed in 2022 when the ability to offer ready-made phishing kits got discovered in July. Criminal operators use these methods to steal the financial information of customers from popular bank accounts and other online services. The platform also prompts users to enter Google or Microsoft credentials on legitimate-looking landing pages.

These were attempts to monetize the initial access to corporate networks for later exploitation activities like ransomware deployment or espionage.^[5] The new additions to these operations that got renewed now include the two-factor authentication for customer accounts, besides the jump to the Russian internet services provider.

This hosting provider is also notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors

The particular relationship with the hosting service means that Robin Banks is on the list with other significant customers like Hamas, alt-tech social platform Parler, HKLeaks, and the notorious Kiwi Farms. All discussions, also, from now on, appear to be done through the private Telegram channel. At least for the core administrators and developers.

Additional functionalities with the new updates

Alongside the detection evading techniques and tools, these new releases come with the cookie stealing functionality. It can be a broader clientele service attempt. Advanced perisstent threat groups might want to use this method to their advantage. Cybercriminals might look to compromise particular enterprise environments, and this particular service for Gmail, Yahoo, and Outlook cookies is listed for $1500 per month.

Robin Banks developers implemented the Evilginx2 reverse proxy for the adversary-in-the-middle attacks to steal these cookies that contain authentication tokens. The reverse-proxy tool establishes communication between the victim and the real service server. The login request and credentials capturing session cookies in transit get forwarded this way.

Phishing actors now manage to bypass MFA mechanisms, and they can use captured cookies to log into an account posing as the owner. These services can be sold separately by feature. Robin Banks persists because the operators rely exclusively on readily accessible tools and services.

This proves that PhaaS platforms can be built by anyone who is invested enough in this. This availability can mean that platforms like this can be operated by inexperienced and less technical cybercriminals because they can launch phishing attacks, bypass MFA, and steal credentials to valuable services and funds from accounts.