Phishing-as-a-service (PhaaS) platform Robin Banks has moved its infrastructure to a “notorious Russian provider” rarely affected by ethics or takedown requests, after being booted by US-based CDN provider (opens in new tab) Cloudflare in July 2022.
Cloudflare originally took action after a notification (opens in new tab) from cybersecurity threat research firm IronNet published in same month, but new follow-up study (opens in new tab) confirms that this was not enough to put the service on hold.
Furthermore, IronNet claims that Robin Banks has seen feature updates such as a “cookie stealer” that can be used to bypass multi-factor authentication (MFA) checks that aim to make the service even more dangerous to potential victims.
Moving to Russia
According to IronNet’s original reporting, IronNet provided threat actors with an easy and convenient way to attempt to steal sensitive data from businesses, banking customers, and others who hold sensitive data.
Among other things, the service may fool users by providing fake landing pages for legitimate services provided by Google and Microsoft.
After a three-day outage, Robin Banks organizers moved its front-end and back-end infrastructure to DDOS-GUARD, a popular Russian hosting provider known for supporting threat actors and ignoring takedown requests.
The PhaaS platform has also since introduced two-factor authentication to the service, allowing kit customers to view phishing information through a central graphical user interface (GUI).
To make matters worse, the new cookie-stealing capability is behind a subscription add-on service, which means the developers of the phishing kit can take advantage even more, with no easy way to stop them. .
According to IronNet, Robin Banks’ phishing kit relies heavily on open source code and out-of-the-box tools. Packaged as a service, they significantly lower the barrier to entry for anyone interested in phishing attacks.
Phishing, a cyber crime in which hackers try to “fish” sensitive information through fake emails, landing pages and mobile applications, is one of the most popular methods of stealing credentials and other data that is targeted in identity theft cases.
Via: The Hacker News (opens in new tab)