Beware, Robin Banks Phishing Campaign Is Back To Steal Your Cash In Its Next Big Heist

robin banks phishing campaign back news
Earlier this year, threat researchers at the cybersecurity company IronNet discovered a phishing-as-a-service (PhaaS) platform known as Robin Banks. While the name may be humorous, the platform itself is no laughing matter, as it serves to aid cybercriminals in stealing innocent users’ banking credentials. After IronNet drew attention to this malicious service in July, Cloudflare promptly withdrew its DDoS protection from the Robin Banks internet infrastructure and blacklisted its domain names, resulting in a major disruption of the service. However, after only a short hiatus, Robin Banks returned, once again posing a threat to users of online banking.

Since Robin Banks functions as a phishing-as-a-service platform, the threat actors behind the platform don’t simply develop and distribute phishing software. They instead operate the infrastructure necessary to carry out sophisticated phishing attacks, then provide phishing toolkits that make use of this infrastructure to other cybercriminals who pay monthly fees. The paying customers rely on the Robin Banks server infrastructure, expecting it to be fully operable 24/7.

Like many online businesses, the threat actors responsible for Robin Banks were previously using Cloudflare to protect their servers from DDoS (distributed-denial-of-service) attacks, but, after Cloudflare blacklisted Robin Banks, the threat actors switched to DDOS-GUARD. DDOS-GUARD is a Russian-based DDoS protection and web hosting service known to unapologetically provide its services to cybercriminal and terrorist groups. It took only three days from the time Cloudflare blocked the Robin Banks domain names for the platform’s developers to migrate the infrastructure to DDOS-GUARD and bring it back online.

cookie stealing mfa bypass service upgrade news
Robin Banks promoting its cookie-stealing MFA bypass service (source: IronNet)

Since then, the threat actors behind Robin Banks have rolled out a new feature that highlights the PhaaS platform’s reliance on open-source code and tools. According to the platform’s developers’ this new feature bypasses multi-factor authentication (MFA) protecting victims’ accounts using Robin Banks’ “own methodology.” However, researchers at IronNet found that this feature, rather than employing a unique approach, appears to be an implementation of evilginx2, an easy-to-use open-source phishing tool that steals authentication token cookies.

Despite using an open-source tool that other cybercriminals could use themselves, Robin Banks charges customers a premium of $1500 a month on top of the regular $200 monthly fee for use of this cookie-stealing feature. According to IronNet, Robin Banks utilizes many other open-source tools as well, demonstrating the low barrier to entry for operating a PhaaS platform. There are still plenty of threat actors that develop their own proprietary hacking tools and malware in addition to maintaining the infrastructure necessary to conduct cyberattacks. Nonetheless, the availability of many malicious open-source tools is leveling the playing field, enabling less experienced cybercriminals to enter the PhaaS space.