Recently, Robin Banks phishing-as-a-service (PhaaS) platform has made a comeback with new tools and more evasive features. Its operators added these modifications after Cloudflare disassociated itself from acting as its host in July. The disruption caused a multi-day halt to ongoing phishing operations against major financial organizations.
What’s new?
According to IronNet researchers, Robin Banks administrators have taken active measures to become more resilient against takedowns.
- Its infrastructure is now hosted by DDoS-Guard, a Russian internet company with a long history of controversial business exchanges.
- It has implemented 2FA for its customers to prevent outsiders from accessing the phishing panel.
- The communication between core administrators is privatized with a separate private Telegram channel.
Use of open-source tools
- It utilizes Adspect, a cloaker, bot filter, and ad tracker that directs valid targets to phishing sites. It detects and filters scanners and unwanted traffic and redirects these to benign websites to reduce the detection rates.
- Robin Banks has added a reverse proxy tool Evilginx2 for AiTM attacks. This tool steals cookies containing authentication tokens that help phishing actors to bypass the MFA mechanism.
- This new cookie-stealing feature is an add-on to the phishing kit which Robin Banks sells separately for $1,500 per month and advertises that it works with Google, Yahoo, and Outlook ‘phislets’.
Conclusion
Robin Banks has added more evasive techniques and utilized readily available tools and services to facilitate cyberattacks on a bigger scale. Although it is not too sophisticated or a widely used platform, it is exclusively providing 24/7 assistance to customers with the modified attack infrastructure. The latest developments suggest that it is here to stay, and its operators will likely keep it up to date to make it a more effective PhaaS platform.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000025585444_Medium.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/faec_shutterstock_104419370.jpg)
