A phishing-as-a-service (PhaaS) platform known as Robin Banks has relocated its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services.
DDoS-Guard takes over from Cloudflare after the latest caused a multi-day disruption of Robin Bank operations by distancing its services from the phishing infrastructure.
Robin Banks Phishing Service
According to a report from IronNet, DDoS-Guard “is notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors.” Robin Banks was compelled to associate with DDoS-Guard after public disclosure made Cloudflare blocklist the phishing platform.
Developers revised the phishing kit and actively made changes to Robin Banks attack infrastructure to be more resilient against takedowns. After being blacklisted by Cloudflare, Robin Banks relocated its front-end and back-end infrastructure to DDOS-GUARD, a well-known Russian provider that hosts various phishing sites and content for cybercriminals.
According to Brian Krebs, in addition to cybercriminals, DDOS-GUARD has also hosted content for conspiracy theory movements QAnon and 8chan, as well as the official site for the Hamas terrorist group. This hosting provider is also notorious in not complying with takedown requests, thus making it more appealing in the eyes of threat actors.
In addition to migrating its infrastructure to DDOS-GUARD, Robin Banks also started enforcing increased security on the platform, most likely out of fear someone might hack their admin interface. This included implementing and requiring two-factor authentication (2FA) in order for kit customers to view phished information via the main GUI. However, if they did not want to implement 2FA, the customers could instead opt to have the phished information sent to a Telegram bot rather than access it through the Robin Banks GUI.
There were also attempts by Robin Banks developers to make information about the platform and its customers’ activities harder to access.
Robin Banks utilizes common off-the-shelf code for its phishing kit. Within the phishing kit are two files (
ob.php) that are not human-readable and were obfuscated using an open-source obfuscation script, PHP obfuscator.
Robin Banks developers implemented the Evilginx2 reverse proxy for the adversary-in-the-middle attacks to steal these cookies that contain authentication tokens. The reverse-proxy tool establishes communication between the victim and the real service server. The login request and credentials capturing session cookies in transit get forwarded this way.
Phishing actors now manage to bypass MFA mechanisms, and they can use captured cookies to log into an account posing as the owner. These services can be sold separately by feature. Robin Banks persists because the operators rely exclusively on readily accessible tools and services
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment