Skip links

Robin Banks phishing service returns to steal banking accounts



The Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.

Robin Banks faced operational disruption in July 2022, when researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank.

Cloudflare immediately blacklisted the platform’s frontend and backend, abruptly stopping ongoing phishing campaigns from cybercriminals paying a subscription for using the PhaaS platform.

A new report from IronNet warns of the return of Robin Banks and highlights the measures its operators have taken to better hide and protect the platform from researchers.

Among the new features are bypassing multi-factor authentication (MFA) and a redirector that helps avoid detection.

Robin Banks reloaded

To get their service back online, Robin Bank’s operators turned to DDoS-Guard, a Russian internet services provider with a long history of controversial business exchanges, some of its customers being Hamas, Parler, HKLeaks, and, more recently, Kiwi Farms.

To prevent outsiders from accessing the phishing panel, Robin Banks has now added two-factor authentication for customer accounts.

Additionally, all discussions between core administrators are now done through a private Telegram channel.

New redirector

One of the new features that IronNet’s analysts discovered in Robin Banks is the use of ‘Adspect,’ a third-party cloaker, bot filter, and ad tracker.

PhaaS platforms use tools like Adspect to direct valid targets to phishing sites while redirecting scanners and unwanted traffic to benign websites, thus evading detection.

Adspect functional diagram (

IronNet comments that Adspect does not advertise itself as a phishing aid; however, its services are promoted on several dark web forums and on Telegram channels dedicated to phishing.

MFA bypassing

Robin Banks developers have also implemented the ‘Evilginx2’ reverse proxy for ‘adversary-in-the-middle’ (AiTM) attacks and steal cookies containing authentication tokens.

Evilginx2 is a reverse-proxy tool that establishes communication between the victim and the real service’s server, forwarding login requests and credentials and capturing the session cookie in transit.

This helps the phishing actors bypass the MFA mechanism because they can use the captured cookies to log into an account as if they were the owner.

Robin Banks sells this new MFA-bypassing feature separately, and advertises that it works with Google, Yahoo, and Outlook ‘phislets’.

Promoting the new cookie-stealing feature (IronNet)

The fact that Robin Banks persists by relying exclusively on readily available tools and services proves that PhaaS platforms can be built by anyone determined enough.

The wide availability of these platforms opens the door to less technical cybercriminals, allowing them to launch powerful phishing attacks and bypass MFA to steal valuable accounts.

Adblock test (Why?)