Phishing-as-a-Service Platform Offers MFA Bypass for $1,500Robin Banks Now Offers a New Cookie-Stealing Feature
Phishing-as-a-Service platform Robin Banks is offering a cookie-stealing feature that cybercriminals can purchase as an add-on to the phishing kit in order to bypass multi-factor authentication in attacks. The complete full-access phishing kit is now available at $1,500 per month, according to researchers from IronNet Cybersecurity.
Robin Banks is a popular cybercrime syndicate known for selling phishing kits and charging as little as $50 per month for a simple campaign. It sells ready-made phishing kits to cybercriminals aiming to gain access to the financial information of the customers of well-known banks and online services.
The PhaaS provider sells phishing kits to cybercriminals specializing in social engineering scams, offering a "quick and easy" way for threat actors of all skill levels to perform network intrusions, IronNet researcher say.
The crime syndicate was disrupted after IronNet's July report about the group. "Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations," IronNet researchers say.
Robin Banks administrators then relocated its infrastructure to a notorious Russian provider and updated features of its phishing kits to be more evasive.
Once they were blacklisted by Cloudflare, its operators opted for DDoS-Guard, a well-known Russian provider that hosts various phishing sites and content for cybercriminals.
IronNet researchers say that the infrastructure of the Robin Banks phishing kit relies heavily on open-source code and off-the-shelf tooling, "serving as a prime example of the lowering barrier-to-entry to not only conducting phishing attacks but also to creating a PhaaS platform for others to use," researchers say.
Since the transition into the DDOS-GUARD, researchers say they observed Robin Banks enforcing increased security on the platform and have implemented two-factor authentication for its customers to view phished information via the main GUI.
"However, if they did not want to implement 2FA, the customers could instead opt to have the phished information sent to a Telegram bot rather than access it through the Robin Banks GUI," researchers say.
The operators behind Robin Banks are now offering a new cookie-stealing feature that can be purchased by cybercriminals as an add-on to the phishing. This feature can also bypass multi-factor authentication in attacks.
Researchers say that the binary files revealed that the admin behind the Robin Banks may have taken their "own methodology" from the well-known open-source tool toolkit known as evilginx2, a newer version of the original evilginx which was released four years ago.
Evilginx2 offers an easy way to launch adversary-in-the-middle attacks for cybercriminals. It is a pre-built framework for phishing login credentials and authentication tokens, which allows the attacker to bypass 2FA (see: Microsoft Says Phishing Campaign Skirted MFA to Access Email).
This open-source tool creates a reverse proxy and once a user is lured to a phishing site, the victim is presented with a phishing page with localized SSL certificates. The user proxied internally logins to the destination, mostly Gmail, in this case, and ultimately the username, password, and login token are captured.
The attacker can then view these stolen credentials through the Robin Banks GUI, their Telegram bot, or the evilginx2 server terminal. From there, the attacker can open their own browser, insert the stolen login token, enter the credentials to successfully bypass 2FA, and access the desired account," researchers say.
Researchers observed three common phishlets in the distribution that are Google, Yahoo and Outlook. These phishlets are the configuration files for proxying a legitimate website into a phishing site and are essentially the building blocks of evilginx2.
This offering comes at a price of $1,500 per month, which is a sharp increase from the $200 per month fee for Robin Bank’s full access phishing kit, researchers say.