A phishing-as-a-service (PhaaS) platform known as Robin Banks has relocated its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services.
DDoS-Guard takes over from Cloudflare after the latest caused a multi-day disruption of Robin Bank operations by distancing its services from the phishing infrastructure.
Robin Banks Phishing Service
According to a report from IronNet, DDoS-Guard “is notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors.” Robin Banks was compelled to associate with DDoS-Guard after public disclosure made Cloudflare blocklist the phishing platform.
Developers revised the phishing kit and actively made changes to Robin Banks attack infrastructure to be more resilient against takedowns. After being blacklisted by Cloudflare, Robin Banks relocated its front-end and back-end infrastructure to DDOS-GUARD, a well-known Russian provider that hosts various phishing sites and content for cybercriminals.
According to Brian Krebs, in addition to cybercriminals, DDOS-GUARD has also hosted content for conspiracy theory movements QAnon and 8chan, as well as the official site for the Hamas terrorist group. This hosting provider is also notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors.
In addition to migrating its infrastructure to DDOS-GUARD, Robin Banks also started enforcing increased security on the platform, most likely out of fear someone might hack their admin interface. This included implementing and requiring two-factor authentication (2FA) in order for kit customers to view phished information via the main GUI. However, if they did not want to implement 2FA, the customers could instead opt to have the phished information sent to a Telegram bot rather than access it through the Robin Banks GUI.
There were also attempts by Robin Banks developers to make information about the platform and its customers’ activities harder to access.
Robin Banks utilizes common off-the-shelf code for its phishing kit. Within the phishing kit are two files (index.php
and ob.php
) that are not human-readable and were obfuscated using an open-source obfuscation script, PHP obfuscator.
Feature Updates:
Robin Banks developers implemented the Evilginx2 reverse proxy for the adversary-in-the-middle attacks to steal these cookies that contain authentication tokens. The reverse-proxy tool establishes communication between the victim and the real service server. The login request and credentials capturing session cookies in transit get forwarded this way.
Phishing actors now manage to bypass MFA mechanisms, and they can use captured cookies to log into an account posing as the owner. These services can be sold separately by feature. Robin Banks persists because the operators rely exclusively on readily accessible tools and services
IOCS
verify-fargo[.]info
www.securebofa[.]online
Suncoastportal[.]online
Truistclientauth[.]com
Authchecks[.]com
9dumbdomain1[.]ru
9dumbdomain2[.]ru
dumb1[.]su
185.38.142[.]28
ironpages[.]club
Ironnet[.]click
185.61.137[.]142
robinbanks[.]su
8ad780fea4e64463f292ed232cabc9032844334ae070a5090c60e6528f4a69e4
7355bfb6ab0e8e45615f7086091b043472568a9ae61ecb8c8d8f699df0c29956
c8f1876becaadd5c65c91e23d3755b6ab2a84c4dd66f702da657f02b17931dec
10d25dd902a46d9c50908390227d971ca2b9ddb782b88c60daed051e2f16c942
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment