Heimdal
article featured image

Contents:

The cybercriminals behind Robin Bank have relocated the phishing-as-a-service (PhaaS) platform to a Russian hosting service.

DDoS-Guard takes over from Cloudflare after the latest caused a multi-day disruption of Robin Bank operations by distancing its services from the phishing infrastructure.

The Russian rock-solid hosting provider previously hosted the alt-tech social network Parler as well as the infamous Kiwi Farms.

New Features for Robin Banks

According to a report from IronNet, DDoS-Guard “is notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors.” Robin Banks was compelled to associate with DDoS-Guard after public disclosure made Cloudflare blocklist the phishing platform.

The PhaaS platform introduced a new cookie-stealing functionality for $1,500 per month. This will appeal to a larger customer base like advanced persistent threat (APT) groups targeting specific companies.

This is achieved by reusing code from evilginx2, an open source adversary-in-the-middle (AiTM) attack framework employed to steal credentials and session cookies from Google, Yahoo, and Microsoft Outlook even on accounts that have multi-factor authentication (MFA) enabled.

Source

Robin Bank has also updated its security measures requesting its affiliates to use two-factor authentication (2FA) to get the exfiltrated data, or a Telegram bot to receive it. And the platform incorporated Adspect, an ad fraud detection service, to redirect victims to fake websites.

Robin Banks Legacy

The Robin Bank platform first surfaced in July 2022 offering phishing kits to threat actors who wanted to steal financial information from popular banks. Additionally, it scammed users to give up Google and Microsoft credentials on malicious landing pages. The intention was the make money by selling initial access to corporate networks for post-exploitation activities such as espionage and ransomware.

Robin Bank is just one name in a series of PhaaS services from the current threat landscape that includes Frappo, EvilProxy, and Caffeine. These platforms make cybercriminal activities accessible to inexperienced hackers. But even veteran threat actors rely more and more on PhaaS platforms, as recent updates suggest.

“The infrastructure of the Robin Banks phishing kit relies heavily on open-source code and off-the-shelf tooling, serving as a prime example of the lowering barrier-to-entry to not only conducting phishing attacks, but also to creating a PhaaS platform for others to use,” the researchers said.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE