Robin Banks Targets Citibank Customers and Beyond

The attack details

• The victim accessing the URL sent through SMS/email will land on either the phishing page or if the system detects a potential bot, on a separate landing page.
• The separate landing page requires the completion of a reCAPTCHA, to stop web scanners from automatically detecting phishing pages. The victim is subsequently redirected to the landing page hosting phishing content. 
• Users who access the landing page are fingerprinted via their user agent strings so that the content displayed reflects the type of device they are using.
• The domain will POST all data to the Robin Banks API when the victim completes all form fields on the website.
• An API/management interface POST contains two unique tokens: one for the threat actor and one for the victim.
• When the victim reaches another page asking for information—such as credit card information, CCV, and SSN—a separate POST is created, as a backup if the victim decides to quit.
• A threat actor can view and share the POST data to their personal Telegram channel as soon as the data is sent to the API. 

Gains for scammers

• Using this information to gain initial access to corporate networks for ransomware may also be possible for more advanced threat actors.
• Criminals using the kit listed hacked account balances of various victims on various Telegram channels and dark web forums for selling purpose.
• The estimated amount of money threat actors have access to amounts to over $500,000.

How to stay safe?

• Do not click on links sent through SMS and email.
• Use a password manager across all accounts.
• Enable multi-factor authentication for all accounts.
• Mandatory phishing training for employees and other partners.
• Monitor and analyze network traffic to detect suspicious activity.

Conclusion