Cloudflare cut off this phishing-as-a-service platform, so it moved to Russia

(Image credit: Vektor Illustration/Shutterstock)

Phishing-as-a-service (PhaaS) platform Robin Banks has relocated its infrastructure to a "notorious Russian provider" rarely swayed by ethics or takedown requests, after being booted from the US-based CDN provider Cloudflare in July 2022.

Cloudflare originally took action following a report from cybersecurity threat research company IronNet published in the same month, but new follow-up research confirms that this wasn't enough to put the service on ice.

Furthermore, IronNet claims that Robin Banks has seen feature updates, such as a "cookie stealer" that can be used to evade multi-factor authentication (MFA) checks that hope to make the service even more dangerous to potential victims.

Moving to Russia

According to IronNet's original reporting, IronNet provided threat actors with an easy and convenient way to try and steal sensitive data from businesses, bank customers and others keeping sensitive data. 

Among other techniques, the service could fooled users by offered fake landing pages for legitimate services offered by Google and Microsoft

Following a three-day long outage, Robin Banks' organizers relocated its front-end and back-end infrastructure to DDOS-GUARD, a popular Russian hosting provider that’s known for supporting threat actors and ignoring takedown requests. 

The PhaaS platform has also since introduced two-factor authentication to the service, allowing kit customers to view phished information via a central graphical user interface (GUI). 

Adding insult to injury, the new cookie stealer capability is locked behind a subscription add-on service, meaning that the phishing kit's developers stand to profit even more, with no simple way of stopping them in their tracks.

According to IronNet, the Robin Banks phishing kit relies heavily on open-source code and tools found off-the-shelf. Packaged as a service, they significantly lower the barrier to entry for anyone interested in engaging in phishing attacks.

Phishing, a cybercrime practice in which hackers look to “fish” sensitive information via fake emails, landing pages, and mobile applications, is one of the most popular methods for stealing login and other data targeted in cases of identity theft.

Via: The Hacker News

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.