Robin Banks is a phishing-as-a-service (PhaaS) platform that sells ready-made phishing kits targeting financial information for users in the U.S., U.K., Canada, and Australia. IronNet researchers observed a large-scale June 2022 campaign using Robin Banks to steal CitiBank and Microsoft account credentials via SMS and email, with potential for broader access to corporate networks. #RobinBanks #Citibank
Keypoints
- Robin Banks is a PhaaS platform established for crafting and selling ready-made phishing kits to criminals targeting financial information.
- A large-scale campaign in mid-June 2022 used Robin Banks to target victims via SMS and email to obtain CitiBank credentials and Microsoft account credentials.
- The phishing kit also asks victims for Google and Microsoft credentials after they reach the landing page, suggesting potential use for access to corporate networks and post-intrusion activity.
- The platform provides a dashboard and customization options (brands, templates, anti-bot measures) and charges monthly fees (e.g., $50 per page, $200 for full access).
- Threat actors have been observed expanding campaigns, diversifying hosting (AWS, DigitalOcean, Oracle, Google, Cloudflare) and using DDNS to vary traffic.
- Victimsβ data is sold on dark web channels and Telegram; overall monetary access from Robin Banks activity is substantial and rising.
- IronNet promotes defense with IronDefense capabilities (Phishing HTTPS, Domain Analysis, Credential Phishing) and threat intel rules to detect and block Robin Banks activity.
MITRE Techniques
- [T1566.001] Initial Access: Phishing β The platform is used to craft phishing pages and campaigns via SMS and email to steal credentials, including CitiBank and Microsoft accounts. βIn mid-June, IronNet researchers discovered a new large-scale campaign utilizing the Robin Banks platform to target victims via SMS and email, with the goal of accessing credentials and financial information pertaining to Citibank, in addition to Microsoft account credentials.β
- [T1071.001] Web Protocols β Data exfiltration from victims via HTTP POST to the Robin Banks API; βThe POST contains two unique tokens: one being the token used by the threat actor to interact with the API/management interface, and the second being the victim.β βBy analyzing the network traffic, it is clear that the number of POSTs is dependent on the number of unique pages requesting data from the victim. In other words, each time the victim reaches another page requesting information β like their credit card data, CCV, SSN, etc. β a separate POST is created.β
Indicators of Compromise
- [IP Address] Robin Banks infrastructure β 5.206.227[.]166, 185.61.137[.]142
- [Domain] Phishing websites and infrastructure β robinbanks[.]in, robinbanks[.]cc
Read more: https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform