Phishing-as-a-service (PhaaS) platform Robin Banks moved its infrastructure to a “famous Russian provider” that was rarely subject to ethics or takedown requests after being launched by a US-based CDN provider (opens in a new tab) Cloudflare in July 2022.
Cloudflare originally took action after a report (opens in a new tab) from the cyber threat research company IronNet, published in the same month, but with a new follow-up Tests (opens in a new tab) confirms that this was not enough to freeze the service.
In addition, IronNet says Robin Banks has seen feature updates such as “steal cookies” that can be used to bypass multi-factor authentication (MFA) checks, which they hope will make the service even more dangerous for potential victims.
Moving to Russia
According to the original IronNet report, IronNet provided cybercriminals with an easy and convenient way to steal sensitive data from companies, bank customers, and others who hold sensitive data.
Among other things, this service may have deceived users by offering fake landing pages for legitimate services offered by Google and Microsoft.
After a three-day outage, organizers Robin Banks moved the front-end and back-end infrastructure to DDOS-GUARD, a popular Russian hosting provider known for supporting cybercriminals and ignoring takedown requests.
Since then, the PhaaS platform has also introduced two-factor authentication to the service, allowing customers to view phishing information through a central graphical user interface (GUI).
As an added insult, the new cookie stealing feature is locked behind an additional subscription service, meaning there’s even more to phishing kit makers with no easy way to stop them.
According to IronNet, the Robin Banks phishing kit relies heavily on open source code and off-the-shelf tools. Packaged as a service, they significantly lower the barrier to entry for anyone interested in phishing attacks.
Phishing, a cybercrime where hackers seek to “fish” for sensitive information via fake emails, landing pages and mobile apps, is one of the most popular methods of stealing login details and other data used in identity theft cases.
By: Hacker messages (opens in a new tab)