IronNet researchers have identified Phishing-as-a-Service (PhaaS) platform Robin Banks selling ready-to-use phishing kits to cybercriminals. The kits are used to obtain financial details of victims living in the U.S, the U.K, Canada, and Australia.

In mid-June, the researchers observed a large scale campaign using Robin Banks’ platform to obtain Citibank customers’ credentials and financial information and sell them over dark web forums or Telegram channels. The attackers targeted victims through SMS and emails.

The attack details

  • The victim accessing the URL sent through SMS/email will land on either the phishing page or if the system detects a potential bot, on a separate landing page.
  • The separate landing page requires the completion of a reCAPTCHA, to stop web scanners from automatically detecting phishing pages. The victim is subsequently redirected to the landing page hosting phishing content. 
  • Users who access the landing page are fingerprinted via their user agent strings so that the content displayed reflects the type of device they are using.
  • The domain will POST all data to the Robin Banks API when the victim completes all form fields on the website.
  • An API/management interface POST contains two unique tokens: one for the threat actor and one for the victim.
  • When the victim reaches another page asking for information—such as credit card information, CCV, and SSN—a separate POST is created, as a backup if the victim decides to quit.
  • A threat actor can view and share the POST data to their personal Telegram channel as soon as the data is sent to the API. 

By sending data to Robin Banks API and storing it on its infrastructure, it is made accessible to both threat actors and Robin Banks administrators.

Gains for scammers

In addition to gaining financial benefits, this phishing kit asks victims for their Google and Microsoft credentials.
  • Using this information to gain initial access to corporate networks for ransomware may also be possible for more advanced threat actors.
  • Criminals using the kit listed hacked account balances of various victims on various Telegram channels and dark web forums for selling purpose.
  • The estimated amount of money threat actors have access to amounts to over $500,000.

How to stay safe?

To overcome phishing attacks, one must take a multi-pronged approach that includes:
  • Do not click on links sent through SMS and email.
  • Use a password manager across all accounts.
  • Enable multi-factor authentication for all accounts.
  • Mandatory phishing training for employees and other partners.
  • Monitor and analyze network traffic to detect suspicious activity.


Cybercriminals are actively using the PhaaS platform to attack users, steal login information, and perform other illegal activities. Robin Banks facilitates cyberattacks on a mass scale by facilitating phishing kits. It distinguishes itself by providing consumers with 24/7 support and a clear commitment to releasing updates, resolving bugs, and adding features to its kits.
Cyware Publisher