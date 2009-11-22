Robin Banks phishing service reemerges on Russian platform:
Robin Banks, the phishing-as-a-service (PHaaS) platform that was kicked off Cloudflare for malicious activity, is back in action with a Russian service provider and new tools to make it easier to bypass security measures.
IronNet's Threat Research unit first wrote about Robin Banks in July, detailing a threat group that was selling phishing kits to cybercriminals who then would use those tools to steal credentials and financial data of people in the US, the UK, Canada, and Australia.
Additionally, the attackers worked to steal Google and Microsoft credentials, indicating Robin Banks was also interested in establishing initial access that could then be used by other cybercriminals for advanced attacks like ransomware.
The crew has been operating since at least March 2022, researchers said. A major campaign in July targeted information relating to Citibank and Microsoft.
The operators behind Robin Banks have since moved their infrastructure to DDoS-Guard, a Russian service provider known for hosting phishing and other criminal activities, IronNet researchers write in a report this week.
In addition, DDoS-Guard has hosted conspiracy theory content from the likes of Qanon and 8chan as well as the official site for the Hamas terrorist group.
[...] Robin Banks also introduced a cookie-stealing capability to bypass 2FA and MFA protections using a tool that IronNet researchers said appears based on the open-source evilginx2 that is used to launch adversary-in-the-middle attacks through a pre-built framework. Attackers can use the framework to phish for login credentials and cookies – or authentication tokens – enabling them to bypass 2FA and MFA on platforms like Google, Yahoo, and Microsoft Outlook.