- Robin Banks is a phishing as a service (PhaaS) that targets financial institutions, including cryptocurrency exchange
- This PhaaS has the ability to circumvent multi-factor authentication (MFA) by capturing user-entered tokens
- These campaigns show that MFA is no longer the panacea to prevent phishing attacks. Despite the short-duration validity of MFA tokens, recently publicized compromises such as 0ktapus indicate MFA capture is a successful strategy
- Lookout phishing and content protection (PCP) customers are protected from the domains associated with Robin Banks.
What is Robin Banks Phishing as a Service
Robin Banks is a phishing as a service (PhaaS) that was discovered by IronNet in July 2022 [and has been active as recently as September 2023]. It is a platform that sells phishing kits for deployment. Since the most recent reporting in November 2022, Robin Banks has largely been unnoticed. Lookout has discovered renewed phishing activities and a pivot to target cryptocurrency services.
The operators of Robin Banks mainly target banking institutions worldwide through SMS and email. Initially, Robin Banks used Cloudflare for proxying service but was kicked off due to the exposure by IronNet. They have since switched to DDoS Guard for proxy, as indicated in a second update from IronNet in November 2022.
One of the notable features of this phishing kit is its ability to capture two-factor authentication (2FA) through evilginx2 Actor-in-the-Middle (AitM) capabilities, as reported by IronNet in the initial blog.
Previously reported indicators: July 2022-February 2023
At first glance, it is not apparent whether Robin Banks has shut down after February 2023 or reappeared in another form. Since the retooling in August 2022, content domains (such as dumb1[.]su and dumb1[.]ru) are no longer loaded when users arrive on the page. Internet scanners have shown the sites as non-resolvable since October 2022. The infrastructure that IronNet discovered (domain with robinbanks, rb, ironnet in the hostname) are also no longer active.
Since August 2022 all phishing pages have been protected by a hCaptcha [Image 1], as opposed to reCaptcha originally used by Robin Banks. With no ties to the content domains and anti-analysis Captchas, automated analysis can no longer obtain additional information aside from the Captcha page.
One of the known IOCs used for tracking Robin Banks is the PHP file name dfsajsk[.]php. A historical search of phishing URLs with this file name results in a number of domains hosted on Google or DigitalOcean. Example IPs include 34.106.52[.]239 (Google), 143.198.100[.]29 (DigitalOcean), and 137.184.72[.]148 (DigitalOcean). The last active domain with dfsajsk[.]php was notify39se-chse[.]com, last active on 2023-02-03.
New indicators discovered by Lookout: Since November 2022
With the last appearance of dfsajsk[.]php pages, the trail for Robin Banks went cold. However, by tracking the captcha pages, we are able to locate the latest two Robin Banks PhaaS phishing pages and identify new PHP file names that could be used as IoCs. The first one, klssza[.]php, started appearing on November 5th 2022, 2 days after IronNet’s latest blog. Domains with the new version are also primarily hosted on Google Cloud and DigitalOcean. Around April 2023, the phishing domains associated with the file name klssza[.]php shifted to hosting at Orange Romania, where we can track recent domains on IP 109.122.221[.]156. In mid June 2023, some of their activities were moved again onto a new Orange Romania IP at 103.212.81[.]230. In September 2023, a new domain, auth.nfix[.]online appeared on DigitalOcean IP 139.59.108[.]187.
The second set of newly discovered Robin Banks phishing can be found using the URL path klsnew[.]php. A new set of domains appeared starting April 2023 as well, and are hosted on Orange Romania on IP 109.122.221[.]135. Phishing domains on this IP address branched out to target cryptocurrency services such as Coinbase in addition to banking institutions.
Robin Banks have a number of capabilities that are common to newer phishing kits:
- Use of hCaptcha (previously reCaptcha) to thwart automated analysis and bots
- AiTM Proxy with the ability to capture user-entered MFA tokens.
During our investigation, we were able to connect to a non-protected Robin Banks phishing site that appeared to be defunct, last active in February 2023. While the phishing page itself was not accessible, we were able to access the live panel.
Clicking on an entry reveals a “Manage Session” page with the captured credential information as well as action buttons for 2FA capture and Gmail access. For 2FA protected accounts, there is only a short window for threat actors to use the capture credentials and authenticate their access. After that, the 2FA code becomes invalid and a new one is required. This sessions page allows active, hands-on phishing. After a brief engagement we were disconnected from the site and were unable to regain access.
Even though activities were seen as recently as September of this year, it appears the developer behind Robin Banks went underground in November 2022 to change their infrastructure and tactics to avoid being found again. However, phishing activities are ongoing and based on the screenshots we grabbed of the session pages, we can see that the kit requires live operators to capture victims’ active login sessions which indicates that the kit is still being acquired in a service model.
With MFA bypass becoming a more critical piece of the attack chain for threat actors targeting both individuals and organizations, we will continue to track Robin Banks to see how its infrastructure, use, and tactics continue to evolve.
Indicators of Compromise
A known list of Robin Banks PhaaS domains with the latest php names are listed at the end of the document. As well, some of the known IP addresses hosting the domains are:
81.28.6[.]5 (Kamatera Inc)
109.122.221[.]135 (Orange Romania)
109.122.221[.]156 (Orange Romania)
103.212.81[.]230 (Orange Romania)
klsnew[.]php domain list
klssza[.]php domain list
Related Threat Discoveries
Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign