Security researchers recently discovered a platform that sells access to and support for phishing software targeting US banks, including Chase, Bank of America and Wells Fargo.
The researchers categorized the program as a phishing-as-a-service because it involves the sale of code, images, and configuration files that people can purchase and use to create fake login pages that can be used to steal victims’ credentials.
Analysts at cybersecurity firm IronNet the discovery announced of criminal service Robin Banks and last week published a list of mitigation strategies companies can use to track down their employees and customers and prevent them from becoming victims.
IronNet said in its blog post about the Robin Banks platform that the researchers had discovered the “large-scale” campaign, which targets victims via text and email. According to IronNet, the threat actors appeared to be profit-driven and target basic users rather than high-value or otherwise special users.
“The primary motivation for scammers using this kit appears to be financial; however, the kit also asks victims for their Google and Microsoft credentials after traveling to the phishing landing page, indicating that it can also be used by more sophisticated threat actors seeking to gain initial access to corporate networks for ransomware or other post-intrusion activities,” the IronNet blog post says.
Robin Banks has been active since at least August 2020 and the latest platform was commissioned in March or April 2022, according to IronNet.
People interested in purchasing access to Robin Banks can visit a now disabled public website (as opposed to a dark website) to browse the phishing kit’s prices and features. Although that website is now offline, new pages have been created with Robin Banks keep appearing online.
For threat actors who have purchased a subscription, the user dashboard provides information on the number of clicks they have gotten, features for creating new phishing pages, and options to add funds to their wallets using bitcoin.
The group behind Robin Banks sells access to a single phishing page for $50 a month or access to all the pages the platform offers for $200. Both prices include 24/7 support and future updates to the platform. Users who have purchased a phishing kit can also modify their pages to block bot activity. IronNet said the group behind Robin Banks had accumulated more than $500,000.
IronNet analysts said the credentials stolen with the Robin Banks kit will be accessible to both the threat actors purchasing access to the platform and Robin Banks administrators.
IronNet, in its blog post, described a specific case of a threat actor who used the Robin Banks platform to steal Citibank and Microsoft credentials in a campaign that analysts say “proved very successful” as numerous victims’ account information was sold over the dark. web and on various channels in Telegram, a messaging platform popular with criminal groups.
The researchers said the threat actor was trying to expand their Robin Banks-backed campaign to target customers from other platforms. As part of the expansion, the threat actor also attempted to use services from Amazon Web Services, Microsoft, DigitalOcean, Oracle, Google, and Cloudflare.
According to Roger Grimes, a data-driven defense evangelist at the security awareness training platform KnowBe4, companies tend to underestimate the potential of social engineering attacks such as phishing.
“Every organization should focus more on defeating social engineering and phishing and less on other types of attacks that are much less likely,” Grimes said. “It’s because almost every company doesn’t focus enough on social engineering as by far the most important attack vector that allows hackers and their malware creations to be so successful.”
IronNet’s recommendations for avoiding phishing attacks, including by Robin Banks and its affiliates, include teaching employees and customers never to click links sent via text or email, and encouraging from customers and staff to use password managers to ensure the use of unique credentials for all accounts. multi-factor authentication for all accounts where available, and requires phishing training for employees and other partners.
In addition, IronNet has delivered a URL search tool that allows banks and other institutions to find pages that impersonate their websites using the Robin Banks kit. Recently discovered URLs mimicked the domains of Bank of America, Capital One, Truist, Navy Federal Credit Union, and other financial institutions.