The assault infrastructure of Robin Banks, a phishing-as-a-service (PhaaS) platform, has been moved to DDoS-Guard, a Russian provider of secure hosting services.
After “Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations,” according to a report from cybersecurity firm IronNet, the transfer was made.
Since Cloudflare decided to blacklist its infrastructure as a result of public revelation, the Robin Banks actor has moved its frontend and backend to DDoS-Guard, which formerly housed the infamous Kiwi Farms and the alt-tech social network Parler.
According to the researchers, “this hosting service is also infamous for refusing to cooperate with takedown orders, making it more tempting in the eyes of threat actors.”
The most notable of the newly added upgrades is a cookie-stealing feature, which is considered as an effort to cater to a wider clientele, including advanced persistent threat (APT) groups trying to compromise certain enterprise setups. It is available for $1,500 a month.
This is accomplished through the reuse of code from evilginx2, an open source adversary-in-the-middle (AiTM) attack architecture used to steal login information and session cookies from Google, Yahoo, and Microsoft Outlook even on accounts with multi-factor authentication (MFA) enabled.
According to reports, Robin Banks has added a new security mechanism that requires users to use two-factor authentication (2FA) in order to view the stolen data through the service. Alternatively, users can obtain the information through a Telegram bot.
Another noteworthy aspect is how it makes advantage of Adspect, an ad fraud monitoring service, to send phishing campaign targets to malicious websites while diverting scanners and unwanted traffic to safe websites to avoid detection.
The discoveries are just the most recent in a string of new PhaaS services that have appeared in the threat landscape, such as Frappo, EvilProxy, and Caffeine, making cybercrime more accessible to both inexperienced and skilled bad actors.
Additionally, as was recently seen in the case of Uber, the improvements also show the growing necessity for threat actors to rely on various techniques like prompt bombing (also known as MFA fatigue) and AiTM to get beyond security measures and get initial access.
The Robin Banks phishing kit’s architecture mainly relies on open source code and commercially available technology, the researchers noted, acting as a prime illustration of the reducing barrier-to-entry to not only executing phishing assaults but also to developing a PhaaS platform for others to exploit.