Phishing-as-a-service (PhaaS) platform Robin Banks has relocated its infrastructure to a “notorious Russian provider” rarely swayed by ethics or takedown requests, after being booted from the US-based CDN provider (opens in new tab) Cloudflare in July 2022.
Cloudflare originally took action following a report (opens in new tab) from cybersecurity threat research company IronNet published in the same month, but new follow-up research (opens in new tab) confirms that this wasn’t enough to put the service on ice.
Furthermore, IronNet claims that Robin Banks has seen feature updates, such as a “cookie stealer” that can be used to evade multi-factor authentication (MFA) checks that hope to make the service even more dangerous to potential victims.
Moving to Russia
According to IronNet’s original reporting, IronNet provided threat actors with an easy and convenient way to try and steal sensitive data from businesses, bank customers and others keeping sensitive data.
Among other techniques, the service could fooled users by offered fake landing pages for legitimate services offered by Google and Microsoft.
Following a three-day long outage, Robin Banks’ organizers relocated its front-end and back-end infrastructure to DDOS-GUARD, a popular Russian hosting provider that’s known for supporting threat actors and ignoring takedown requests.
The PhaaS platform has also since introduced two-factor authentication to the service, allowing kit customers to view phished information via a central graphical user interface (GUI).
Adding insult to injury, the new cookie stealer capability is locked behind a subscription add-on service, meaning that the phishing kit’s developers stand to profit even more, with no simple way of stopping them in their tracks.
According to IronNet, the Robin Banks phishing kit relies heavily on open-source code and tools found off-the-shelf. Packaged as a service, they significantly lower the barrier to entry for anyone interested in engaging in phishing attacks.
Phishing, a cybercrime practice in which hackers look to “fish” sensitive information via fake emails, landing pages, and mobile applications, is one of the most popular methods for stealing login and other data targeted in cases of identity theft.
Via: The Hacker News (opens in new tab)