Robin Banks, the popular phishing-as-a-service (PaaS) platform amongst the cybercriminal underground, has resurfaced after previously having its backend and frontend rendered useless by Cloudflare. Now the platform has found a new hosting partner based in Russia that boasts distributed-denial-of-service (DDoS) protection for customers. The hosting partner, DDOS-GUARD, has also been linked to hosting QAnon, 8Chan, and Hamas web assets.
Cloudflare’s operation to blacklist Robin Bank’s infrastructure was completed in July 2022. Up until that point the criminal service had targeted the following banking institutions: Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank.
Now according to a new report by IronNet, it appears those behind the PaaS have taken new steps to keep their operation behind closed curtains and prevent researchers from uncovering the new upgrades.
Perhaps the most important new features are the added ability to bypass multi-factor authentication (MFA) and the use of a redirector to avoid detection.
Summarising both why these upgrades were done IronNet researchers noted, “In addition to migrating its infrastructure to DDOS-GUARD, Robin Banks also started enforcing increased security on the platform, most likely out of fear someone might hack their admin interface. This included implementing and requiring two-factor authentication (2FA) in order for kit customers to view phished information via the main GUI. However, if they did not want to implement 2FA, the customers could instead opt to have the phished information sent to a Telegram bot rather than access it through the Robin Banks GUI.” And, “There were also attempts by Robin Banks developers to make information about the platform and its customers’ activities harder to access. In order to privatize admin conversations surrounding the platform, Robin Banks administrators moved to create a ..
Support the originator by clicking the read the rest link below.
