Key issues from our analysis:
- Robin Banks is a phishing-as-a-service (PhaaS) platform, first observed in March 2022, promoting ready-made phishing kits to cyber criminals aiming to realize get right of entry to to the monetary knowledge of people living within the U.S., in addition to the U.Okay., Canada, and Australia.
- In mid-June, IronNet researchers found out a brand new large-scale marketing campaign using the Robin Banks platform to focus on sufferers by means of SMS and e-mail, with the purpose of getting access to credentials and monetary knowledge bearing on Citibank, along with Microsoft account credentials.
- The principle motivation for scammers the use of this equipment seems to be monetary; then again, the equipment does additionally ask sufferers for his or her Google and Microsoft credentials once they shuttle to the phishing touchdown web page, indicating it may be utilized by extra complex danger actors taking a look to realize preliminary get right of entry to to company networks for ransomware or different post-intrusion actions.
Preliminary Get admission to Agents (IABs), or legal actors who promote community get right of entry to in the course of the type of stolen credentials or preliminary get right of entry to gear, have change into prolific in lately’s cyber danger panorama. One very talked-about software bought for device get right of entry to is a phishing equipment, supplied by way of phishing-as-a-service (PhaaS) platforms that offer the features had to perform a a hit assault.
Usually, those kits come with units of recordsdata which might be pre-packaged to comprise the entire code, graphics, and configuration recordsdata vital to create a phishing web page. This will come with options like curated databases of objectives or branded e-mail templates, they usually’re frequently designed to be simply deployable and reusable. Thus, they supply a handy guide a rough and simple method for danger actors of all talent ranges to realize get right of entry to to accounts and programs of hobby.
Robin Banks: a brand new PhaaS platform available on the market
IronNet researchers have lately noticed an energetic cyber crime syndicate launching a brand new PhaaS platform, promoting phishing kits to cyber criminals who focus on social engineering scams. Referred to as Robin Banks, this danger actor supplies ready-made phishing kits essentially focused on U.S.-based monetary corporations, in addition to a large number of corporations within the U.Okay., Canada, and Australia.
Monetary establishments marketed at the site come with: Financial institution of The us, Capital One, Citibank, Wells Fargo, and extra. In addition they be offering templates to phish Google, Microsoft, T-Cell knowledge, in addition to world corporations like Lloyds Financial institution of England, Netflix in Canada, and Commonwealth Financial institution in Australia.
In response to community visitors research and open-source analysis by way of our analysts, Robin Banks has been the use of the IP 5.206.227[.]166 and/or has been energetic since no less than August 2020. The scammer’s latest platform, mentioned on this weblog, has been in operation since March or April 2022.
Having access to the platform
To ensure that consumers to get right of entry to the robinbanks[.]in site, they’re required to create an account login with an e-mail and password and to pay by means of Bitcoin. When coming into the web site, consumers are confronted with a well-organized dashboard, providing a sidebar with options to arrange a brand new web page, track present pages, upload finances to the pockets, and extra. That is the place consumers too can get right of entry to a large number of choices to craft a customized phishing equipment.
Robin Banks dashboard & sidebar
The Robin Banks site has a extra refined but person pleasant webGUI than 16Shop and BulletProftLink — two well known phishing kits which might be additionally significantly costlier than Robin Banks as effectively. During the last few months, Robin Banks has received many new consumers and has been one of the crucial few PhaaS platforms to constantly replace templates.
Pricing
Unmarried pages, which come with any long run updates and 24/7 beef up, run for $50/month on Robin Banks. For complete get right of entry to, which incorporates get right of entry to to all pages in addition to any long run updates and 24/7 beef up, Robin Banks fees customers $200/month.
On reasonable, a unmarried equipment deployed by means of a PhaaS supplier can value anyplace between $150-$300/month – infrequently extra relying at the services and products presented.
Robin Banks pricing web page
Customizing the phishing equipment
In customizing a equipment thru Robin Banks, danger actors can make a choice from a myriad of manufacturers to impersonate and goal the shoppers of. Shoppers have more than a few customization choices, similar to whether or not to decide into blocking off customers according to person agent strings or to make use of reCAPTCHA when bot job is detected.
Crafting a phishing web page at the Robin Banks platform
Deploying the phishing equipment
Upon getting access to the preliminary get right of entry to URL despatched thru a rip-off SMS or e-mail, the sufferer will likely be introduced with both the phishing web page content material or, if the device detects a possible bot, a separate touchdown web page that calls for the of completion of a reCAPTCHA. That is to forestall internet scanners from robotically detecting phishing pages.
As soon as the reCAPTCHA is finished (if required), the sufferer will then be redirected to the touchdown web page webhosting phishing content material (touchdown web page is constantly hosted on the area root with the trail /dfsajsk.php). The content material of the phishing web page is hosted each in the community to the original example and centrally by means of Robin Banks infrastructure.
Because the sufferer accesses the touchdown web page, their browser is fingerprinted by means of their person agent string to render content material according to their distinctive tool kind (cellular vs. desktop). When the sufferer strikes to finish the entire form-fields at the web site, the area will then POST all information to the Robin Banks API (hosted at Rbresults[.]pm / 185.61.137[.]142).
POST request containing a pattern of phished information
The POST comprises two distinctive tokens: one being the token utilized by the danger actor to have interaction with the API/control interface, and the second one being the sufferer.
By means of inspecting the community visitors, it’s transparent that the choice of POSTs depends at the choice of distinctive pages inquiring for information from the sufferer. In different phrases, every time the sufferer reaches some other web page inquiring for knowledge – like their bank card information, CCV, SSN, and many others. – a separate POST is created, most likely as a fail secure in case the sufferer comes to a decision to surrender the shape previous to completing it.
As soon as the POST information is distributed to the API, it may be considered within the danger actors’ control interface, the place they’ve the choice of in an instant sharing the information to their non-public Telegram channel. For the reason that information is distributed to the Robin Banks API and thus is living on its infrastructure, no longer most effective is the danger actor in a position to view stolen information, but in addition the directors of Robin Banks as effectively.
Case Learn about: Investigating an energetic phishing marketing campaign using Robin Banks
In mid-June 2022, IronNet researchers noticed a large-scale marketing campaign the use of the Robin Banks phishing equipment, focused on sufferers by means of SMS and e-mail. The purpose in the back of this marketing campaign was once to get right of entry to credentials and monetary knowledge bearing on Citibank, along with Microsoft account credentials.
Instance of phishing try from this marketing campaign
In response to investigation of the danger actor, this marketing campaign proved very a hit. A large number of sufferers had account knowledge bought by means of the darkish internet and more than a few Telegram channels.
Not too long ago, IronNet researchers have noticed this danger actor making an attempt to enlarge their marketing campaign and build up its effectiveness. This contains buying further phishing kits from Robin Banks – along with the equipment they have already got focused on Citi-Financial institution customers – to focus on the shoppers of alternative corporations. It additionally contains efforts to diversify their webhosting platforms through the use of a myriad of services and products similar to AWS, Microsoft, DigitalOcean, Oracle, and Google, in addition to Cloudflare services and products. And, aligning with a pattern observed with different Robin Banks scammers, the danger actor in the back of this marketing campaign was once noticed using Dynamic DNS (DDNS) to diversify community visitors.
Motivation of danger actors the use of the Robin Banks PhaaS platform
Risk actors the use of this phishing equipment generally tend to focus on the fundamental person, with the purpose of constructing as a lot of a benefit as imaginable. The principle motivation for the use of this equipment seems to be monetary, according to the equipment’s primary practical goal of stealing banking credentials and different monetary knowledge.
Cyber criminals the use of the Robin Banks equipment frequently submit the financial information in their sufferers on Telegram and different more than a few web pages, record the hacked account balances of more than a few sufferers. Some customers even use Telegram to resell phishing kits they bought from Robin Banks.
Thru inspecting open-source intelligence and more than a few forensic artifacts, IronNet researchers weren’t most effective in a position to spot attainable suspects in the back of the platform itself, however had been additionally in a position to calculate the estimated sum of money danger actors have had get right of entry to to the use of the Robin Banks PhaaS platform.
We assess that in the course of the more than a few phishing campaigns using Robin Banks kits, legal actors have had get right of entry to to a surplus of over $500,000 – an quantity this is emerging day-to-day.
Significantly, the equipment does additionally inquire customers for his or her Google and Microsoft credentials once they shuttle to the phishing touchdown web page, indicating it may be utilized by extra complex danger actors taking a look to realize get right of entry to to company networks for ransomware or different post-intrusion actions.
How IronDefense defends in opposition to Robin Banks
IronNet’s community detection and reaction answer, IronDefense, contains Phishing HTTPS, Area Research, and Credential Phishing behavioral analytics that give protection to in opposition to this sort of job.
- Our IronDefense Phishing HTTPS analytic works to particularly determine communications with phishing domain names which might be using centered logo imitation by means of HTTPS, in addition to flag any time a person seems to be interacting with a phishing hyperlink or filing delicate knowledge to a suspicious exterior entity.
- Our Credential Phishing analytic identifies when account credentials are transmitted to exterior locations by means of the HTTP protocol.
- Our Area Research analytic additionally flags job that might point out phishing by way of comparing outgoing communications from an inner host to a brand new or peculiar area.
- As well as, Risk Intelligence Regulations (TIRs) were created for all IOCs and deployed in all IronNet circumstances.
IronDefense Phishing HTTPS detection of an energetic phishing web page using Robin Banks
Conclusion
The aim of this analysis is to make clear a prior to now unreported PhaaS platform this is being actively utilized by cyber criminals to assault customers, thieve account credentials, and extra. With phishing being one of the vital used ways by way of danger actors to realize preliminary get right of entry to, it’s increasingly more necessary to discover and track PhaaS platforms, similar to Robin Banks, that facilitate cyber assaults on a mass scale.
Total, Robin Banks is simply one of the platforms promoting phishing kits available on the market at this time. It isn’t extra refined or broadly used than different PhaaS platforms, however it does stand out for the 24/7 help it supplies to consumers and its distinct willpower to pushing updates, solving insects, and including options to its kits.
Given the legal operator’s transparent willpower to managing and bettering the platform, we suspect the danger actor in the back of Robin Banks to modify ways or toolings on account of this file. This may come with makes an attempt to switch assault infrastructure, regulate the platform area, exchange buyer permissions, or upload new phishing equipment options as an effort to lead them to extra evasive.
IronNet Risk Analysis will likely be freeing a 2d weblog at the Robin Banks platform within the close to long run, offering further IOCs, information, and research from our researchers.
Mitigations for phishing assaults
So as to give protection to your self and your company from falling sufferer to a phishing try, you will have to take a multi-pronged manner. This contains:
- Do not click on on hyperlinks despatched thru SMS and e-mail, particularly if requested to get right of entry to your account or input your credentials.
- Use a password supervisor to make sure using distinctive credentials throughout all accounts.
- Permit multi-factor authentication (MFA) for all accounts.
- Require phishing coaching for workers and different companions.
- Observe and analyze community visitors to hit upon suspicious job, similar to is completed by way of IronNet’s IronDefense platform.
Different MITRE ATT&CKⓇ mitigations for phishing:
- M1049 Antivirus / Antimalware
- M1031 Community Intrusion Prevention
- M1021 Limit Internet-Based totally Content material
- M1054 Use anti-spoofing and e-mail authentication mechanisms (Device Configuration)
- M1017 Consumer Coaching
Related MITRE ATT&CK TTPs and IronNet Protection
|
ID |
Tactic & Method |
IronDefense Analytics |
Use |
|
Preliminary Get admission to: Phishing |
Phishing HTTPS |
Risk actors the use of the Robin Banks platform behavior phishing. IronNet’s Phishing HTTPS analytic makes an attempt to hit upon SNIs that can be related to malicious hyperlinks and pretend internet content material, and IronNet’s Area Research analytic will hearth at the newly created phishing site. |
IOCs
|
Admin Server: |
Content material Webhosting: |
|
5.206.227[.]166 Robinbanks[.]in Robinbnks[.]in robinbanks[.]cc |
Rbpages[.]nl Rbpagev2[.]in Rbresults[.]pm 185.61.137[.]142 |
Community Risk Searching
|
Approach |
Description |
|
GET to |
Indicative of comms to touchdown web page |
|
GET to |
Indicative of loading content material on touchdown web page |
|
POST to |
Indicative of a hit phish |
|
URLScan Seek Question |
