Robin Banks Phishing Kit Uses MFA Bypass to Target Financials and Crypto
- Robin Banks is a phishing as a service (PhaaS) that targets financial institutions, including cryptocurrency exchange
- This PhaaS has the ability to circumvent multi-factor authentication (MFA) by capturing user-entered tokens
- These campaigns show that MFA is no longer the panacea to prevent phishing attacks. Despite the short-duration validity of MFA tokens, recently publicized compromises such as 0ktapus indicate MFA capture is a successful strategy
- Lookout phishing and content protection (PCP) customers are protected from the domains associated with Robin Banks.
What is Robin Banks Phishing as a Service
Robin Banks is a phishing as a service (PhaaS) that was discovered by IronNet in July 2022 [and has been active as recently as September 2023]. It is a platform that sells phishing kits for deployment. Since the most recent reporting in November 2022, Robin Banks has largely been unnoticed. Lookout has discovered renewed phishing activities and a pivot to target cryptocurrency services.
The operators of Robin Banks mainly target banking institutions worldwide through SMS and email. Initially, Robin Banks used Cloudflare for proxying service but was kicked off due to the exposure by IronNet. They have since switched to DDoS Guard for proxy, as indicated in a second update from IronNet in November 2022.
One of the notable features of this phishing kit is its ability to capture two-factor authentication (2FA) through evilginx2 Actor-in-the-Middle (AitM) capabilities, as reported by IronNet in the initial blog.
Previously reported indicators: July 2022-February 2023
At first glance, it is not apparent whether Robin Banks has shut down after February 2023 or reappeared in another form. Since the retooling in August 2022, content domains (such as dumb1[.]su and dumb1[.]ru) are no longer loaded when users arrive on the page. Internet scanners have shown the sites as non-resolvable since October 2022. The infrastructure that IronNet discovered (domain with robinbanks, rb, ironnet in the hostname) are also no longer active.
Since August 2022 all phishing pages have been protected by a hCaptcha [Image 1], as opposed to reCaptcha originally used by Robin Banks. With no ties to the content domains and anti-analysis Captchas, automated analysis can no longer obtain additional information aside from the Captcha page.
One of the known IOCs used for tracking Robin Banks is the PHP file name dfsajsk[.]php. A historical search of phishing URLs with this file name results in a number of domains hosted on Google or DigitalOcean. Example IPs include 34.106.52[.]239 (Google), 143.198.100[.]29 (DigitalOcean), and 137.184.72[.]148 (DigitalOcean). The last active domain with dfsajsk[.]php was notify39se-chse[.]com, last active on 2023-02-03.
New indicators discovered by Lookout: Since November 2022
With the last appearance of dfsajsk[.]php pages, the trail for Robin Banks went cold. However, by tracking the captcha pages, we are able to locate the latest two Robin Banks PhaaS phishing pages and identify new PHP file names that could be used as IoCs. The first one, klssza[.]php, started appearing on November 5th 2022, 2 days after IronNet’s latest blog. Domains with the new version are also primarily hosted on Google Cloud and DigitalOcean. Around April 2023, the phishing domains associated with the file name klssza[.]php shifted to hosting at Orange Romania, where we can track recent domains on IP 109.122.221[.]156. In mid June 2023, some of their activities were moved again onto a new Orange Romania IP at 103.212.81[.]230. In September 2023, a new domain, auth.nfix[.]online appeared on DigitalOcean IP 139.59.108[.]187.
The second set of newly discovered Robin Banks phishing can be found using the URL path klsnew[.]php. A new set of domains appeared starting April 2023 as well, and are hosted on Orange Romania on IP 109.122.221[.]135. Phishing domains on this IP address branched out to target cryptocurrency services such as Coinbase in addition to banking institutions.
Notable capabilities
Robin Banks have a number of capabilities that are common to newer phishing kits:
- Use of hCaptcha (previously reCaptcha) to thwart automated analysis and bots
- AiTM Proxy with the ability to capture user-entered MFA tokens.
Technical analysis
During our investigation, we were able to connect to a non-protected Robin Banks phishing site that appeared to be defunct, last active in February 2023. While the phishing page itself was not accessible, we were able to access the live panel.
Clicking on an entry reveals a “Manage Session” page with the captured credential information as well as action buttons for 2FA capture and Gmail access. For 2FA protected accounts, there is only a short window for threat actors to use the capture credentials and authenticate their access. After that, the 2FA code becomes invalid and a new one is required. This sessions page allows active, hands-on phishing. After a brief engagement we were disconnected from the site and were unable to regain access.
Conclusion
Even though activities were seen as recently as September of this year, it appears the developer behind Robin Banks went underground in November 2022 to change their infrastructure and tactics to avoid being found again. However, phishing activities are ongoing and based on the screenshots we grabbed of the session pages, we can see that the kit requires live operators to capture victims’ active login sessions which indicates that the kit is still being acquired in a service model.
With MFA bypass becoming a more critical piece of the attack chain for threat actors targeting both individuals and organizations, we will continue to track Robin Banks to see how its infrastructure, use, and tactics continue to evolve.
Indicators of Compromise
A known list of Robin Banks PhaaS domains with the latest php names are listed at the end of the document. As well, some of the known IP addresses hosting the domains are:
34.168.100[.]202 (Google)
34.168.242[.]7 (Google)
34.172.242[.]32 (Google)
81.28.6[.]5 (Kamatera Inc)
109.122.221[.]135 (Orange Romania)
109.122.221[.]156 (Orange Romania)
103.212.81[.]230 (Orange Romania)
167.71.203[.]211 (DigitalOcean)
139.59.108[.]187 (DigitalOcean)
klsnew[.]php domain list
servicecu-verif01a[.]com
usr-mfa-coinbse[.]com
recrovrcoinbase-help[.]com
coinbase-profile00[.]com
coinbase-profile0[.]com
servicecreditunion02a[.]com
coinbase-usrrecovrg[.]com
bfcu01a[.]com
servicecu03a[.]com
servicecu-verif01a[.]com
klssza[.]php domain list
02auth-bankofamerica[.]com
03auth-bankofamerica[.]com
03secureboalogin1[.]com
05securedboalogin1a[.]com
1auth09re-enable-americafirst[.]my03[.]com
1bofasecured[.]us
3login-info[.]serveusers[.]com
53-2fa[.]us
53-signin[.]com
7a-bankofamerica[.]com
access-3312t7zr94145[.]online-case-1b[.]org
access-6865xia0s8665[.]verifyhub-19c[.]cc
account-53rd[.]com
afcu-onlinebanking01[.]com
afcu-onlinebanking02[.]com
afcu[.]25u[.]com
aidme-citizensbnk23[.]com
aidme-santanderbnk[.]com
alert-authrbfcu[.]com
alrt-tr3ist[.]info
americafirst-onlinebanking08c[.]com
americafirst[.]secure02ea-authlogon[.]com
americafirst[.]secure03ea-authlogon[.]com
americafirst[.]secure04ea-authlogon[.]com
americafirstrouting[.]misecure[.]com
amerlca-fcu[.]com
amzon-service05a[.]com
approvedsms[.]online
auth[.]02bofa[.]com
auth[.]bof05[.]com
auth[.]nfix[.]online
auth03nfcu[.]org
auth06-web2access-americafirst[.]my03[.]com
auth07cit[.]com
authb02f[.]com
authmobilejp[.]ddns[.]net
authsantander1portal[.]com
authsectd08f[.]info
authyjpmobile01[.]ddns[.]net
autorization[.]santanderr[.]co[.]76t[.]online
autorization[.]tdbank[.]co[.]1t3[.]homes
banking[.]santader[.]us[.]76t[.]online
banking[.]santandr[.]co[.]1t7[.]online
bankofamerica-activity[.]com
bankofamerica-mobile02[.]com
bk[.]aidme-citizensbnk23[.]com
bnacr[.]online
bnk-en[.]aidme-citizensbnk23[.]com
boaverifyuser88[.]com
bofa-administrator01[.]com
bofa4cardlogin8m[.]ddns[.]net
cap88tlluser[.]com
capitalone-onlinebanking01c[.]com
capitalone-onlinebanking08a[.]com
capitalone-verify[.]com[.]8nf[.]site
cfo4huqkbfgh84tqgeg0[.]aidme-santanderbnk[.]com
cfo8atikbfgh84ttl6l0[.]aidme-santanderbnk[.]com
changes-alerts[.]live
chase-07secure[.]com
chase03a-security[.]com
cirvipe43[.]dns[.]army
cit-health[.]online
citi03auth[.]com
citiupdate[.]online
citizens-authorized[.]ddns[.]net
citizensbanksecure01[.]com
client-authrgs[.]com
client-navyfederal[.]ddns[.]net
client-rbfcu[.]org
confrimation[.]santanderr[.]co[.]76t[.]online
confrimation[.]santanderr[.]us[.]76t[.]online
cufcrb[.]online
dcuaccount-auth[.]ddns[.]net
dcuonline-auth[.]ddns[.]net
dcuonline-verify[.]ddns[.]net
desa2[.]cf
desconc[.]cf
eqfnjefjqjfjn19[.]misecure[.]com
fillchase-enquiry[.]lat
golden1-fcuonline01a[.]com
golden1-reports01a[.]com
help-client-prompt[.]online
helpservicesasb[.]com
helpservicesiccu[.]com
hsbc-uk-live01a[.]com
huntington-online01a[.]com
improvedaccount8214211[.]vantechddns[.]com
iog[.]authb02f[.]com
jimmyicon[.]com
jp-signin-morgan[.]com
jponetimeauth01[.]ddns[.]net
ldentifyme-rbfcu[.]com
ldentlfyme-rbfcu[.]com
login-thebankofamerica[.]com
macusupport[.]com
mobiledcuauth01[.]ddns[.]net
mobilejpsecure[.]ddns[.]net
mobileusbnkauth01[.]ddns[.]net
mtbank-us[.]info
my[.]capitalone[.]comm[.]sncu[.]us
my[.]td-bank[.]comm[.]5yt[.]lol
my[.]td-bank[.]comm[.]h9s[.]online
myusaaclient[.]ml
navyfederal-auth[.]ddns[.]net
navyfederal-protect[.]ddns[.]net
navyfederal-safe[.]ddns[.]net
netfixsecurity02a[.]com
netflix-renewsub[.]com
netflix[.]ca[.]nl0[.]site
nfix[.]online
online-santander01a[.]com
online-santander02a[.]com
online-verlfy[.]info
onlinebanking[.]secbof[.]com
onlinebanking01v-americafirst[.]com
ourverified-helper[.]online
partalvsantanderauth2[.]com
phoneverification-afcu[.]dns-dns[.]com
portalv1santanderauth[.]com
portalv3santanderonline[.]com
rbbfcu-portal[.]com
rbfcu-signverify[.]com
rbfcuverify[.]in
rbfcuverify[.]info
rbfcuverifyteam[.]info
re-gions08a[.]com
review[.]02-amazon[.]com
reviewauth-nrbfcu[.]com
rolbsantanderportalv31[.]ns01[.]us
rsnetflix[.]com
s9845[.]secure-29s[.]is
safe02[.]info
safeams[.]chbas[.]info
santander-auth0a[.]ddns[.]net
santandercare02a[.]com
sec-bofauser02[.]com
sec03hsbc[.]com
sec05verify-americafirst[.]my03[.]com
sec07-authoa[.]com
sec09auth-2re-enable-america1st[.]my03[.]com
sec0userid[.]com
sec75-citiauth[.]com
secure-06site[.]tk
secure-53[.]com
secure-authoo1[.]com
secure[.]02bofa[.]com
secure[.]04bofa[.]com
secure[.]account[.]nt-ku[.]online
secure[.]chase[.]us[.]1w11[.]lol
secure[.]chase[.]us[.]5t7[.]online
secure[.]dcu[.]org[.]7yt7[.]online
secure[.]dcu[.]us[.]t7yt[.]online
secure[.]santandder[.]co[.]tw24[.]lol
secure[.]santanderss[.]co[.]6ty[.]lol
secure[.]santanderss[.]co[.]try4[.]homes
secure[.]santandrer[.]us[.]76t[.]online
secure[.]santandrer[.]us[.]7y6[.]online
secure[.]td[.]co[.]t57[.]lol
secure[.]td[.]us[.]4t3[.]homes
secure[.]userbof[.]com
secure[.]verf[.]hb-sc[.]info
secure[.]verify[.]uk[.]h-bs-c[.]info
secure01a-chase-onlines1[.]com
secure01a-chase-onlines2[.]com
secure02ea-chase-security[.]com
secure03-1captialverify[.]com
secure03-user[.]tk
secure03hsbc[.]com
secure04ea-chase[.]com
secure05hsbc[.]com
secure05loginbofa[.]com
secure0675-online-verlfication[.]info
secure08-wells[.]online
secure09-americafirst[.]my03[.]com
secure101ea-chase[.]com
secure11-verifauth03[.]com
secure125ea-chase[.]com
secure153ea-chase[.]com
secure4-1capitaloneauth[.]com
secure4-5chaseauth8[.]com
secure41-verifauth6[.]com
secure5-9verifauth[.]com
secure7-3verifychase[.]com
secure73chase-auth[.]com
secure83ea-chase[.]com
secure84ea-chase[.]com
securebofa[.]x24hr[.]com
securecitiupdate0[.]ddns[.]net
secured016[.]servehttp[.]com
secured01bofa[.]us
securednavyfcu011[.]ddns[.]net
securedpnc011[.]ddns[.]net
securedportal-confirmationlink[.]com
secureduserror01[.]redirectme[.]net
securee[.]santanderr[.]t-d-bk[.]live
securejpmobile01[.]ddns[.]net
securelink-bamkofamerica[.]com
securemobilejp[.]hopto[.]org
securenavy011[.]myftp[.]org
secureverify5[.]com
securewells[.]in
securex5web[.]com
securitybofa-help[.]com
securitybofa03e[.]com
serv03-user[.]serveusers[.]com
server-rbfcuauth[.]com
signwebin[.]com
sms-phoneverification[.]dns-dns[.]com
smsapproval[.]online
smsrecovery[.]online
sslv5prosantanderlvl1[.]publicvm[.]com
static-usaa01[.]com
support[.]1afcusms[.]site
support[.]bellco[.]0rg[.]1t4[.]online
support[.]chase[.]us[.]5t7[.]online
support[.]santandrer[.]us[.]5tr[.]online
supportchas-e3n[.]com
supportl0ginc5[.]com
supportsmsboa[.]site
t-d-online01a[.]com
t-d-online02a[.]com
t-donline07a[.]com
td-alerts[.]ddns[.]net
td-onlinebank1[.]com
td-onlinebanking03s[.]com
td-security01a[.]com
td-support01a[.]com
td[.]secure03ea-authlogon[.]com
td73banksec[.]serveftp[.]com
tdbank-login[.]secure02ea-authlogon[.]com
tdbank-online01[.]com
tdbanksupport01a[.]com
tdrauth6[.]info
test[.]authb02f[.]com
truist-help[.]me
uk[.]payments[.]netflix[.]reb-hmcr[.]site
unlock-bofa[.]com[.]
update-info-afcu[.]com
update[.]02-amazon[.]com
usaaarmysecurityaesecurity[.]com
usaahelp[.]online
usaauthymobile[.]ddns[.]net
user03-login[.]serveftp[.]com
userassistance[.]site
userbof[.]com
userhelp[.]site
verifcapitalone01a[.]com
verification[.]netflix[.]hmrt[.]site
verification[.]netflix[.]uknet[.]online
verify[.]02bofa[.]com
verify[.]04bofa[.]com
verify[.]dcu[.]us[.]t7yt[.]online
verify[.]rebate[.]barclys[.]online
verify[.]santadner[.]5tr[.]online
verify[.]santadner[.]76t[.]online
verify[.]secbf[.]com
verifyandsecure11[.]ga
verifyauth10[.]com
web2access-americafirst-support[.]line[.]pm
webdirect-rbfcu-verify[.]my03[.]com
webphoneverificationsamericafirstcuredirect[.]xxuz[.]com
wellauth2[.]com
wells-access[.]info
wells-auth091[.]com
wells-auth092[.]com
wells-auth093[.]com
wfntm[.]online
Authors
Identify and Prevent Threats with Lookout Threat Advisory
Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.
Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.