The researchers categorized the scheme as phishing-as-a-service because it involves selling code, graphics and configuration files that people can purchase and use to create imitation login pages that can be used to steal victims’ credentials.
Analysts at the cybersecurity firm IronNet announced the discovery of the criminal service Robin Banks last week and published a list of mitigation strategies that companies can use to uncover and prevent their employees and customers from falling victim.
IronNet said in its blog post about the Robin Banks platform that the researchers had discovered the “large-scale” campaign, which targets victims via text messages and emails. The threat actors appeared to be after profit and targeting basic users rather than high-value or otherwise special users, according to IronNet.
“The primary motivation for scammers using this kit appears to be financial; however, the kit does also ask victims for their Google and Microsoft credentials after they travel to the phishing landing page, indicating it could also be used by more advanced threat actors looking to gain initial access to corporate networks for ransomware or other post-intrusion activities,” the IronNet blog post says.
Robin Banks has been active since at least August 2020, and its newest platform went into operation in March or April of 2022, according to IronNet.
People interested in purchasing access to Robin Banks could visit a now-disabled public website (as opposed to a dark-web site) to browse pricing and features of the phishing kit. Although that website is now down, new pages built with Robin Banks continue to pop up online.
For threat actors who purchased a plan, the user dashboard provides information about how many clicks they had gotten, functions for creating new phishing pages, and options to add funds to their wallets using bitcoin.
The group behind Robin Banks sells access to a single phishing page for $50 per month or access to all pages the platform offers for $200. Both prices include 24/7 support and future updates to the platform. Users who purchased a phishing kit can also customize their pages to block bot activity. IronNet said the group behind Robin Banks had accrued over $500,000.
IronNet analysts said the credentials stolen with the Robin Banks kit are accessible to both the threat actors who purchase access to the platform and the administrators of Robin Banks.
IronNet described in its blog post a specific case of a threat actor using the Robin Banks platform to steal Citibank and Microsoft credentials in a campaign the analysts said “proved very successful,” the numerous victims had account information sold via the dark web and on various channels in Telegram, the popular messaging platform with criminal groups.
The researchers said the threat actor was attempting to expand their Robin Banks-supported campaign to target customers of other platforms. As part of the expansion, the threat actor also attempted to use services from Amazon Web Services, Microsoft, DigitalOcean, Oracle, Google and Cloudflare.
According to Roger Grimes, a data-driven defense evangelist at the security awareness training platform KnowBe4, companies tend to underestimate the potency of social engineering attacks such as phishing.
“Every organization should focus more on defeating social engineering and phishing and less on other types of attacks that are far less likely to happen,” Grimes said. “It is because nearly every business fails to adequately focus on social engineering as the number one attack vector, by far that allows hackers and their malware creations to be so successful.”
IronNet’s recommendations for avoiding phishing attacks, including by Robin Banks and its affiliates, include teaching employees and customers never to click on links sent through SMS or email, encouraging customers and staff to use password managers to ensure the use of unique credentials across accounts, enabling multifactor authentication for all accounts where it is available, and requiring phishing training for employees and other partners.
Additionally, IronNet provided the URL search tool to allow banks and other institutions to find pages that impersonate their websites using the Robin Banks kit. Recently discovered URLs mimicked the domains of Bank of America, Capital One, Truist, Navy Federal Credit Union and other financial institutions.