Citibank, Bank of America, Capital One, and others Targeted by ‘Robin Banks’ PhaaS
More and More Threat Actors Are Interested in the New ‘Robin Banks’ Phishing Service.
A brand-new Phishing-as-a-Service (PhaaS) platform known as “Robin Banks” has been developed, providing ready-made phishing tools intended to trick customers of reputable financial institutions and online services.
Among the targeted organizations are:
- Bank of America
- Capital One
- Wells Fargo
- S. Bank
- Lloyds Bank
- the Commonwealth Bank in Australia
Moreover, the recently launched Phishing-as-a-Service (PhaaS) platform provides templates for snatching accounts from Microsoft, Google, Netflix, and T-Mobile.
IronNet security researchers were the ones to discover Robin Banks, and according to a report they published, the phishing platform is already in use in extensive campaigns that began in mid-June and target people via text messages and email.
More on the Robin Banks Platform
Robin Banks is a new initiative of a hacking organization that has allegedly been operational since at least March 2022, designed to quickly create high-quality phishing pages to go after clients of important banks.
How Much Does the Platform Cost?
According to BleepingComputer, there are two price tiers available for it: the first one costs $50 per month and includes single pages and 24/7 support, and the second one costs $200 per month and offers unlimited access to all templates and support round-the-clock.
How Does It Work?
Cybercriminals who register are given access to a personal dashboard that includes reports on their activities, tools for creating a page quickly and easily, wallet management, and options for building customized phishing websites.
Additionally, the users have the option to add reCAPTCHA to prevent bots or check user agent strings to exclude certain victims from highly-targeted operations.
The Robin Banks website has a more sophisticated yet user-friendly webGUI than 16Shop and BulletProftLink — two well-known phishing kits that are also notably more expensive than Robin Banks as well.
Furthermore, the new phishing platform is adding new templates all the time and is updating the old ones to reflect modifications in the style and color scheme of the targeted enterprises.
This is the reason why the Robin Banks phishing platform became so popular in the cybercrime space, with numerous malicious actors adopting it in the past couple of months.
The Citibank Incident
In one attack discovered by the security company in June, a Robin Banks operator sent SMS messages to Citibank customers alerting them of “unusual usage” of their debit cards.
The link provided to remove the purported security restrictions directs victims to a phishing page where they are asked for their private information. When the victim visits the phishing website, their browser is fingerprinted to establish whether they are using a desktop or a mobile device, and the appropriate web page version is loaded.
As soon as the user fills out all of the requested information on the phishing page’s form fields, a POST request is transmitted to the Robin Banks API, which contains two unique tokens, one for the attacker and one for the victim.
The platform’s webGUI allows both the operator and platform administrators to see all information sent to the Robin Banks API.
A new advanced PhaaS platform’s launching is unfavorable for internet users because it encourages phishing among less-skilled malicious actors and increases the flow of dangerous messages.
It is recommended that you avoid clicking on links sent via SMS or email in order to stay safe from these malicious attempts. Also, make sure the website you’ve landed on is legitimate.
Last but not least, enable Two-Factor Authentication (2FA) across all of your accounts and use a personal phone number to get one-time passwords.
How Can Heimdal™ Help?
Phishing is all around nowadays with more and more advanced techniques being adopted. Make sure that you use an efficient Email Security tool paired with a good Email Fraud Prevention product. The first keeps mail-delivered threats away, while the latter protects against Business Email Compromise and fraud attempts through a combination of threat intelligence and a number of 125 analysis vectors.