Robin Banks phishing service targets financial sector

Target Industry

Financial Services.

Overview

Severity level: High – Compromise will likely result in exposure to third-party malware including ransomware.

The aptly named Phishing-as-a-Service (PhaaS) platform called Robin Banks has resurfaced after a four-month absence and is once again providing their service to third-party threat actors. Robin Banks’s absence was due to their service provider, Cloudflare, denying the service once its malicious activities were uncovered. However, this absence is now over as Robin Banks has found a new Russian host, DDoS-Guard. This controversial Internet Service Provider (ISP) has made headlines in recent years due to some of its other customers, including, Kiwi Farms and the terrorist organisation Hamas.

The Robin Banks service has historically targeted the financial sector and is likely to continue this trend now that the service is back online. Past financial victims of their phishing spam were Lloyds Bank, Citibank, Bank of America and many more. The service operates by luring victims to malicious, phony sites.

The re-emergence of Robin Banks also introduces the service’s new feature. For a fee, Robin Banks also offers an additional cookie-stealing service that uses Evilginx2 to bypass multi-factor authentication (MFA) security measures. Evilginx2 is a man-in-the-middle attack framework that creates a fake Single Sign On (SSO) page for either Gmail, Outlook or Yahoo, that once filled out steals the user’s cookies and enables potential attackers to avoid MFA.

A licence for the phishing service can be obtained for as little as $50 per month, however, the additional Evilginx2 service is considerably more at $1,500 per month.

Impact

The phishing service allows malicious actors who may lack sophisticated infrastructure or tooling to target a victim’s network and deploy ransomware with relative ease. Successful compromise may lead to the encryption and theft of sensitive customer and business data.

Vulnerability Detection

A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide protection against phishing threats, creating alerts and flagging them as potentially malicious before adverse action and significant damage can take place.

Affected Products

All email services are affected.

The following email services are also affected by the cookie-stealing feature:

– Gmail
– Outlook
– Yahoo.

Containment, Mitigations & Remediations

It is recommended that employees receive training on how to spot signs of phishing emails. Regular in-house training will go a long way to reducing the effectiveness of future Robin Banks campaigns.

It is also recommended that customers use password managers to ensure that passwords meet a high and secure standard, but also ensure that all passwords are unique for each user account for different websites and services.

It is important to detect and halt these attacks early to minimise potential damage. This can be most effectively achieved by a network traffic monitoring tool and EDR solutions like Microsoft Defender.

Indicators of Compromise

Associated hashes:

10d25dd902a46d9c50908390227d971ca2b9ddb782b88c60daed051e2f16c942
7355bfb6ab0e8e45615f7086091b043472568a9ae61ecb8c8d8f699df0c29956
8ad780fea4e64463f292ed232cabc9032844334ae070a5090c60e6528f4a69e4
c8f1876becaadd5c65c91e23d3755b6ab2a84c4dd66f702da657f02b17931dec

Associated IPs:

– 185.61.137.142
– 5.206.227.166
– 185.38.142.28

Associated domains used in historical attacks:

– verify-fargo[.]info
– www.securebofa[.]online
– suncoastportal[.]online
– truistclientauth[.]com
– authchecks[.]com

Threat Landscape

The main targets for Robin Banks’s users have historically been those within the financial sector, and more specifically those that have holdings based in the western markets of the United Kingdom, United States, Australia and Canada. Based on these historic targets, and the not so subtle name of the service, the motivation behind these attacks is highly likely to be financial gain.

The service is particularly dangerous as it promotes low-skill criminal threat actors to become active in the exploitation of businesses for little financial risk.

Threat Group

Now that Robin Banks is using the Russian-based ISP, DDos-Guard, for hosting their product, it is highly unlikely that the service will be taken down again due to the history of unregulated and notorious services held by the ISP.

Mitre Methodologies

T1566 – Phishing
T1566.001 – Phishing: Spear Phishing Attachment
T1566.002 – Phishing: Spear Phishing Link
T1566.003 – Phishing: Spear Phishing via Service
T1539– Steal Web Session Cookie

Further Information

IronNet – Robin Banks report
Cyber Talk– Robin Banks targeting financial sector