- Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations.
- Robin Banks debuted a new cookie-stealing feature cybercriminals can purchase as an add-on to the phishing kit in order to bypass multi-factor authentication.
- Robin Banks phishing kit relies heavily on open-source code and off-the-shelf tooling, serving as a prime example of the lowering barrier-to-entry to not only conducting phishing attacks.
Cybersecurity researchers at IronNet announced that the Robin Banks group relocated its infrastructure to a notorious Russian provider, DDoS-Guard, and changed its features to be more evasive. Robin Banks is a phishing-as-a-service (PhaaS) platform, which is initially reported by IronNet in July of 2022. IronNet’s initial discovery of Robin Banks caused Cloudflare to mark the domain as malicious, which disrupted its operations.
After Cloudflare’s decision to disassociate Robin Banks, the group experienced a disruption that lasted three days. Now the group relocated its front-end and back-end infrastructure to DDoS-Guard, a Russian provider that is known for hosting phishing sites and content for cybercriminals.
Robin Banks is also enforcing increased security on the platform, such as two-factor authentication for kit customers to view phished information. However, users have the option to get phished information via a Telegram bot.
Robin Banks also purchased multiple domains, including ironnet[.]click & ironpages[.]club. ironnet[.]click as a response to IronNet’s initial blog. These domains were used to host phishing kit contents. Since the initial report, Robin Banks also introduced a new feature to bypass 2FA via stealing the login session cookies. It is a newer version of an open-source tool, evilginx2, which is popular among cybercriminals. Robin Banks advertises this feature of the kit for $1,500 per month. IronNet said,
« Robin Banks’ heavy reliance on open-source code and off-the-shelf tooling showcases just how low the barrier-to-entry is to not only conducting phishing attacks, but also to becoming a service provider and creating a PhaaS platform for others to use. It does not take a high sophistication level to create a kit such as this and charge hundreds to thousands of dollars for others to use it. Thus, the growing use of different web tools to host cybercriminal platforms poses concerns as cybercrime becomes more accessible and a low-effort option to drawing in a quick profit. »