Keypoints
- Robin Banks is a Phishing-as-a-Service (PhaaS) discovered in July 2022 that sells phishing kits and requires live operators to capture sessions.
- Operators primarily target banking institutions via SMS and email and have expanded to target cryptocurrency services like Coinbase.
- The kit uses AiTM proxy capabilities (evilginx2) to capture two-factor authentication (2FA) tokens and web session data.
- Infrastructure shifted from Cloudflare to DDoS Guard after exposure; phishing pages are protected with hCaptcha to block automated analysis.
- Known PHP phishing file names used as IOCs include dfsajsk.php, klssza.php, and klsnew.php, with domains hosted on Google Cloud, DigitalOcean, and Orange Romania IP space.
- Lookout identified recent domains and IPs (e.g., 109.122.221[.]156, 103.212.81[.]230, 139.59.108[.]187) and numerous bank- and crypto-themed phishing domains.
- Backend screenshots show a “Manage Session” panel with captured credentials and action buttons for 2FA capture and mailbox access, indicating hands-on exploitation.
MITRE Techniques
- [T1566] Phishing – Used to deliver credential harvesting pages via SMS and email targeting banking and crypto customers; quote: ‘The operators of Robin Banks mainly target banking institutions worldwide through SMS and email.’
- [T1539] Steal Web Session Cookie – AiTM proxy (evilginx2) captures active session tokens and 2FA to enable account takeover; quote: ‘ability to capture two-factor authentication (2FA) through evilginx2 Actor-in-the-Middle (AitM) capabilities.’
Indicators of Compromise
- [File names] Phishing PHP endpoints observed – dfsajsk.php, klssza.php (and klsnew.php)
- [IP addresses] Hosting and infrastructure examples – 109.122.221[.]156 (Orange Romania), 103.212.81[.]230 (Orange Romania); also 139.59.108[.]187 (DigitalOcean) and Google IP ranges (e.g., 34.106.52[.]239)
- [Domains] Example phishing domains used to target banks/crypto – auth.nfix[.]online, usr-mfa-coinbse[.]com, notify39se-chse[.]com (and many bank-themed domains listed in source)
Robin Banks operates as a PhaaS that supplies ready-made phishing pages and a backend panel for live operators. Technically, kits are deployed as PHP endpoints (historic dfsajsk.php, later klssza.php and klsnew.php) hosted across cloud providers (Google Cloud, DigitalOcean) and moved into Orange Romania IP space (e.g., 109.122.221[.]156, 103.212.81[.]230). Operators protect landing pages with hCaptcha (replacing reCaptcha) to block automated scanners and use proxying services (migrated from Cloudflare to DDoS Guard) to hide origin infrastructure.
The phishing pages implement an AiTM proxy (reported as evilginx2) that intercepts session data and captured credentials, including short-lived MFA/2FA codes, enabling hands-on account takeover when a live operator uses the backend. The exposed backend screenshots show a “Manage Session” interface with captured credential fields and controls for 2FA capture and Gmail access, confirming active session hijacking and manual exploitation workflows. Domains observed include numerous bank-themed and crypto-themed sites (examples: auth.nfix[.]online, usr-mfa-coinbse[.]com) and the kits maintain identifiable PHP filenames that can be used as IOCs for detection and takedown.
Detection and response should focus on blocking known IPs and domains, monitoring for requests to the identified PHP endpoints, and flagging any hCaptcha-protected landing pages that mirror banking or crypto login flows. Given the AiTM capability, defenders should treat captured sessions as immediate compromises, prioritize rapid password resets and MFA re-enrollment for suspected victims, and use the listed IOCs and IPs to hunt for related infrastructure activity.
Read more: https://www.lookout.com/threat-intelligence/article/robin-banks-phishing