Email security, Vulnerability Management, Threat Management

Phishing-as-a-service platform ‘Robin Banks’ targets financial firms

Workers prepare a presentation of advanced email at the CeBIT 2012 technology trade fair.
The Robin Banks phishing-as-a-service platform has recently targeted financial institutions in the U.S., U.K., Canada and Australia, according to IronNet research. (Photo by Sean Gallup/Getty Images)

Financial institutions have recently been targeted by the so-called “Robin Banks” phishing-as-a-service attack platform (PhaaS), which has aimed its payload at text and emails.

IronNet researchers have recently discovered the cybercrime syndicate Robin Banks providing ready-made phishing kits primarily targeting U.S.-based financial companies, as well as numerous companies in the U.K., Canada, and Australia.

Bank of America, Wells Fargo, Capital One and Citigroup are among the U.S. banks that have been within the sights of this attack vector since March 2022, when threat actors became more proactive with Robin Banks.

The kits enable users to access a personal dashboard that not only allows wallet management and page creation but also permits the inclusion of reCAPTCHA and user agent string checking mechanisms, resulting in an interface that is more sophisticated but easier to use than the BulletProftLink and 16Shop phishing kits, according to IronNet.

“The primary motivation for scammers using this kit appears to be financial,” according to IronNet. "However, the kit does also ask victims for their Google and Microsoft credentials after they travel to the phishing landing page, indicating it could also be used by more advanced threat actors looking to gain initial access to corporate networks for ransomware or other post-intrusion activities.”

How does this work? Threat actors, dubbed initial access brokers (IABs), sell access into legitimate corporate networks through stolen credentials or other access tools. IronNet found that an increasing number of cybercrime rings are selling the so-called “phishing kits,” as well as network access for the purpose of phishing financial employees or customers, all with the support of these IABs.

“While this is a very mature product, it is not alone in its space. However, due to the low price versus some other PhaaS platforms, it is gaining popularity quickly,” said Erich Kron, security awareness advocate at KnowBe4. While not having carefully investigated, Kron said that this “does not appear to be nation-state backed, but rather created and run by a profit-seeking gang.”

“While [Robin Banks] does have a focus on the financial industry, they are not alone in having templates and services designed to target financial institutions,” Kron said, adding that he anticipates seeing more non-financial focused templates from the group in the near future. In addition to the financial institutions, Robin Banks appears to already have templates available for attacks against Google, Microsoft, Netflix, and even T-Mobile accounts, he added.

Phishing kits typically include sets of files that are “pre-packaged to contain all the code, graphics, and configuration files necessary to create a phishing page. This can include features like curated databases of targets or branded email templates, and they’re often designed to be easily deployable and reusable,” according to IronNet’s research.

Robin Banks is reportedly pricing its most basic service at $50 per month — with costs for a more expansive PhaaS offering ranging up to $300 per month — which included ongoing updates and round-the-clock support. Hence, Robin Banks and other PhaaS purveyors are making sophisticated phishing scams more accessible to a wider base of less-skilled, would-be fraudsters and identity thieves, particularly aimed at financial institutions.

At this point, it is “impossible to tell" how many people and accounts have been affected by Robin Banks, as many customers “may not even realize they have been hit yet until they check their accounts,” Kron said. Additionally, when individuals are hit by these sorts of attacks, there is rarely forensics done to determine the source of the phishing email or text message, so attribution is rare, Kron added.

Kron said that while Robin Banks is hardly unique in its offering, it is “quite sophisticated and appears to be well made.” The service includes dashboards for users, which report on the successes of campaigns through click rates and other metrics, along with reports of the timely updates and revisions of the phishing templates, proves that this is a top tier product. In other words, Robin Banks gives its users a professional and polished experience, equivalent to what they would expect from a business software service vendor.  

“Given its price point and features,” Kron said, “I expect to see this becoming very popular in the future.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.