November 20, 2023

Robin Banks Phishing Kit Uses MFA Bypass to Target Financials and Crypto

Low poly AI-generated image of Robin Hood
  • Robin Banks is a phishing as a service (PhaaS) that targets financial institutions, including cryptocurrency exchange
  • This PhaaS has the ability to circumvent multi-factor authentication (MFA) by capturing user-entered tokens
  • These campaigns show that MFA is no longer the panacea to prevent phishing attacks. Despite the short-duration validity of MFA tokens, recently publicized compromises such as 0ktapus indicate MFA capture is a successful strategy 
  • Lookout phishing and content protection (PCP) customers are protected from the domains associated with Robin Banks.

What is Robin Banks Phishing as a Service

Robin Banks is a phishing as a service (PhaaS) that was discovered by IronNet in July 2022 [and has been active as recently as September 2023]. It is a platform that sells phishing kits for deployment. Since the most recent reporting in November 2022, Robin Banks has largely been unnoticed. Lookout has discovered renewed phishing activities and a pivot to target cryptocurrency services.

The operators of Robin Banks mainly target banking institutions worldwide through SMS and email. Initially, Robin Banks used Cloudflare for proxying service but was kicked off due to the exposure by IronNet. They have since switched to DDoS Guard for proxy, as indicated in a second update from IronNet in November 2022. 

One of the notable features of this phishing kit is its ability to capture two-factor authentication (2FA) through evilginx2 Actor-in-the-Middle (AitM) capabilities, as reported by IronNet in the initial blog.

Previously reported indicators: July 2022-February 2023

At first glance, it is not apparent whether Robin Banks has shut down after February 2023 or reappeared in another form. Since the retooling in August 2022, content domains (such as dumb1[.]su and dumb1[.]ru) are no longer loaded when users arrive on the page. Internet scanners have shown the sites as non-resolvable since October 2022. The infrastructure that IronNet discovered (domain with robinbanks, rb, ironnet in the hostname) are also no longer active. 

Since August 2022 all phishing pages have been protected by a hCaptcha [Image 1], as opposed to reCaptcha originally used by Robin Banks. With no ties to the content domains and anti-analysis Captchas, automated analysis can no longer obtain additional information aside from the Captcha page.

hCaptcha page protecting the phishing content from scanners.

One of the known IOCs used for tracking Robin Banks is the PHP file name  dfsajsk[.]php. A historical search of phishing URLs with this file name results in a number of domains hosted on Google or DigitalOcean. Example IPs include 34.106.52[.]239 (Google), 143.198.100[.]29 (DigitalOcean), and 137.184.72[.]148 (DigitalOcean). The last active domain with dfsajsk[.]php was notify39se-chse[.]com, last active on 2023-02-03.

New indicators discovered by Lookout: Since November 2022

With the last appearance of dfsajsk[.]php pages, the trail for Robin Banks went cold. However, by tracking the captcha pages, we are able to locate the latest two Robin Banks PhaaS phishing pages and identify new PHP file names that could be used as IoCs. The first one, klssza[.]php, started appearing on November 5th 2022, 2 days after IronNet’s latest blog. Domains with the new version are also primarily hosted on Google Cloud and DigitalOcean. Around April 2023, the phishing domains associated with the file name klssza[.]php shifted to hosting at Orange Romania, where we can track recent domains on IP 109.122.221[.]156. In mid June 2023, some of their activities were moved again onto a new Orange Romania IP at 103.212.81[.]230. In September 2023, a new domain, auth.nfix[.]online appeared on DigitalOcean IP 139.59.108[.]187. 

The second set of newly discovered Robin Banks phishing can be found using the URL path klsnew[.]php. A new set of domains appeared starting April 2023 as well, and are hosted on Orange Romania on IP 109.122.221[.]135. Phishing domains on this IP address branched out to target cryptocurrency services such as Coinbase in addition to banking institutions. 

Notable capabilities

Robin Banks have a number of capabilities that are common to newer phishing kits:

  • Use of hCaptcha (previously reCaptcha) to thwart automated analysis and bots
  • AiTM Proxy with the ability to capture user-entered MFA tokens. 

Technical analysis

During our investigation, we were able to connect to a non-protected Robin Banks phishing site that appeared to be defunct, last active in February 2023. While the phishing page itself was not accessible, we were able to access the live panel.

Redacted screenshot of the live panel from the backend of the Robin Bank phishing kit.

Clicking on an entry reveals a “Manage Session” page with the captured credential information as well as action buttons for 2FA capture and Gmail access. For 2FA protected accounts, there is only a short window for threat actors to use the capture credentials and authenticate their access. After that, the 2FA code becomes invalid and a new one is required. This sessions page allows active, hands-on phishing. After a brief engagement we were disconnected from the site and were unable to regain access. 

Screenshot of the “manage session” page of Robin Bank’s backend.

Conclusion

Even though activities were seen as recently as September of this year, it appears the developer behind Robin Banks went underground in November 2022 to change their infrastructure and tactics to avoid being found again. However, phishing activities are ongoing and based on the screenshots we grabbed of the session pages, we can see that the kit requires live operators to capture victims’ active login sessions which indicates that the kit is still being acquired in a service model. 

With MFA bypass becoming a more critical piece of the attack chain for threat actors targeting both individuals and organizations, we will continue to track Robin Banks to see how its infrastructure, use, and tactics continue to evolve.

Indicators of Compromise

A known list of Robin Banks PhaaS domains with the latest php names are listed at the end of the document. As well, some of the known IP addresses hosting the domains are:

34.168.100[.]202 (Google)

34.168.242[.]7 (Google)

34.172.242[.]32 (Google)

81.28.6[.]5 (Kamatera Inc)

109.122.221[.]135 (Orange Romania)

109.122.221[.]156 (Orange Romania)

103.212.81[.]230 (Orange Romania)

167.71.203[.]211 (DigitalOcean)

139.59.108[.]187 (DigitalOcean)

klsnew[.]php domain list

servicecu-verif01a[.]com

usr-mfa-coinbse[.]com

recrovrcoinbase-help[.]com

coinbase-profile00[.]com

coinbase-profile0[.]com

servicecreditunion02a[.]com

coinbase-usrrecovrg[.]com

bfcu01a[.]com

servicecu03a[.]com

servicecu-verif01a[.]com

klssza[.]php domain list


02auth-bankofamerica[.]com

03auth-bankofamerica[.]com

03secureboalogin1[.]com

05securedboalogin1a[.]com

1auth09re-enable-americafirst[.]my03[.]com

1bofasecured[.]us

3login-info[.]serveusers[.]com

53-2fa[.]us

53-signin[.]com

7a-bankofamerica[.]com

access-3312t7zr94145[.]online-case-1b[.]org

access-6865xia0s8665[.]verifyhub-19c[.]cc

account-53rd[.]com

afcu-onlinebanking01[.]com

afcu-onlinebanking02[.]com

afcu[.]25u[.]com

aidme-citizensbnk23[.]com

aidme-santanderbnk[.]com

alert-authrbfcu[.]com

alrt-tr3ist[.]info

americafirst-onlinebanking08c[.]com

americafirst[.]secure02ea-authlogon[.]com

americafirst[.]secure03ea-authlogon[.]com

americafirst[.]secure04ea-authlogon[.]com

americafirstrouting[.]misecure[.]com

amerlca-fcu[.]com

amzon-service05a[.]com

approvedsms[.]online

auth[.]02bofa[.]com

auth[.]bof05[.]com

auth[.]nfix[.]online

auth03nfcu[.]org

auth06-web2access-americafirst[.]my03[.]com

auth07cit[.]com

authb02f[.]com

authmobilejp[.]ddns[.]net

authsantander1portal[.]com

authsectd08f[.]info

authyjpmobile01[.]ddns[.]net

autorization[.]santanderr[.]co[.]76t[.]online

autorization[.]tdbank[.]co[.]1t3[.]homes

banking[.]santader[.]us[.]76t[.]online

banking[.]santandr[.]co[.]1t7[.]online

bankofamerica-activity[.]com

bankofamerica-mobile02[.]com

bk[.]aidme-citizensbnk23[.]com

bnacr[.]online

bnk-en[.]aidme-citizensbnk23[.]com

boaverifyuser88[.]com

bofa-administrator01[.]com

bofa4cardlogin8m[.]ddns[.]net

cap88tlluser[.]com

capitalone-onlinebanking01c[.]com

capitalone-onlinebanking08a[.]com

capitalone-verify[.]com[.]8nf[.]site

cfo4huqkbfgh84tqgeg0[.]aidme-santanderbnk[.]com

cfo8atikbfgh84ttl6l0[.]aidme-santanderbnk[.]com

changes-alerts[.]live

chase-07secure[.]com

chase03a-security[.]com

cirvipe43[.]dns[.]army

cit-health[.]online

citi03auth[.]com

citiupdate[.]online

citizens-authorized[.]ddns[.]net

citizensbanksecure01[.]com

client-authrgs[.]com

client-navyfederal[.]ddns[.]net

client-rbfcu[.]org

confrimation[.]santanderr[.]co[.]76t[.]online

confrimation[.]santanderr[.]us[.]76t[.]online

cufcrb[.]online

dcuaccount-auth[.]ddns[.]net

dcuonline-auth[.]ddns[.]net

dcuonline-verify[.]ddns[.]net

desa2[.]cf

desconc[.]cf

eqfnjefjqjfjn19[.]misecure[.]com

fillchase-enquiry[.]lat

golden1-fcuonline01a[.]com

golden1-reports01a[.]com

help-client-prompt[.]online

helpservicesasb[.]com

helpservicesiccu[.]com

hsbc-uk-live01a[.]com

huntington-online01a[.]com

improvedaccount8214211[.]vantechddns[.]com

iog[.]authb02f[.]com

jimmyicon[.]com

jp-signin-morgan[.]com

jponetimeauth01[.]ddns[.]net

ldentifyme-rbfcu[.]com

ldentlfyme-rbfcu[.]com

login-thebankofamerica[.]com

macusupport[.]com

mobiledcuauth01[.]ddns[.]net

mobilejpsecure[.]ddns[.]net

mobileusbnkauth01[.]ddns[.]net

mtbank-us[.]info

my[.]capitalone[.]comm[.]sncu[.]us

my[.]td-bank[.]comm[.]5yt[.]lol

my[.]td-bank[.]comm[.]h9s[.]online

myusaaclient[.]ml

navyfederal-auth[.]ddns[.]net

navyfederal-protect[.]ddns[.]net

navyfederal-safe[.]ddns[.]net

netfixsecurity02a[.]com

netflix-renewsub[.]com

netflix[.]ca[.]nl0[.]site

nfix[.]online

online-santander01a[.]com

online-santander02a[.]com

online-verlfy[.]info

onlinebanking[.]secbof[.]com

onlinebanking01v-americafirst[.]com

ourverified-helper[.]online

partalvsantanderauth2[.]com

phoneverification-afcu[.]dns-dns[.]com

portalv1santanderauth[.]com

portalv3santanderonline[.]com

rbbfcu-portal[.]com

rbfcu-signverify[.]com

rbfcuverify[.]in

rbfcuverify[.]info

rbfcuverifyteam[.]info

re-gions08a[.]com

review[.]02-amazon[.]com

reviewauth-nrbfcu[.]com

rolbsantanderportalv31[.]ns01[.]us

rsnetflix[.]com

s9845[.]secure-29s[.]is

safe02[.]info

safeams[.]chbas[.]info

santander-auth0a[.]ddns[.]net

santandercare02a[.]com

sec-bofauser02[.]com

sec03hsbc[.]com

sec05verify-americafirst[.]my03[.]com

sec07-authoa[.]com

sec09auth-2re-enable-america1st[.]my03[.]com

sec0userid[.]com

sec75-citiauth[.]com

secure-06site[.]tk

secure-53[.]com

secure-authoo1[.]com

secure[.]02bofa[.]com

secure[.]04bofa[.]com

secure[.]account[.]nt-ku[.]online

secure[.]chase[.]us[.]1w11[.]lol

secure[.]chase[.]us[.]5t7[.]online

secure[.]dcu[.]org[.]7yt7[.]online

secure[.]dcu[.]us[.]t7yt[.]online

secure[.]santandder[.]co[.]tw24[.]lol

secure[.]santanderss[.]co[.]6ty[.]lol

secure[.]santanderss[.]co[.]try4[.]homes

secure[.]santandrer[.]us[.]76t[.]online

secure[.]santandrer[.]us[.]7y6[.]online

secure[.]td[.]co[.]t57[.]lol

secure[.]td[.]us[.]4t3[.]homes

secure[.]userbof[.]com

secure[.]verf[.]hb-sc[.]info

secure[.]verify[.]uk[.]h-bs-c[.]info

secure01a-chase-onlines1[.]com

secure01a-chase-onlines2[.]com

secure02ea-chase-security[.]com

secure03-1captialverify[.]com

secure03-user[.]tk

secure03hsbc[.]com

secure04ea-chase[.]com

secure05hsbc[.]com

secure05loginbofa[.]com

secure0675-online-verlfication[.]info

secure08-wells[.]online

secure09-americafirst[.]my03[.]com

secure101ea-chase[.]com

secure11-verifauth03[.]com

secure125ea-chase[.]com

secure153ea-chase[.]com

secure4-1capitaloneauth[.]com

secure4-5chaseauth8[.]com

secure41-verifauth6[.]com

secure5-9verifauth[.]com

secure7-3verifychase[.]com

secure73chase-auth[.]com

secure83ea-chase[.]com

secure84ea-chase[.]com

securebofa[.]x24hr[.]com

securecitiupdate0[.]ddns[.]net

secured016[.]servehttp[.]com

secured01bofa[.]us

securednavyfcu011[.]ddns[.]net

securedpnc011[.]ddns[.]net

securedportal-confirmationlink[.]com

secureduserror01[.]redirectme[.]net

securee[.]santanderr[.]t-d-bk[.]live

securejpmobile01[.]ddns[.]net

securelink-bamkofamerica[.]com

securemobilejp[.]hopto[.]org

securenavy011[.]myftp[.]org

secureverify5[.]com

securewells[.]in

securex5web[.]com

securitybofa-help[.]com

securitybofa03e[.]com

serv03-user[.]serveusers[.]com

server-rbfcuauth[.]com

signwebin[.]com

sms-phoneverification[.]dns-dns[.]com

smsapproval[.]online

smsrecovery[.]online

sslv5prosantanderlvl1[.]publicvm[.]com

static-usaa01[.]com

support[.]1afcusms[.]site

support[.]bellco[.]0rg[.]1t4[.]online

support[.]chase[.]us[.]5t7[.]online

support[.]santandrer[.]us[.]5tr[.]online

supportchas-e3n[.]com

supportl0ginc5[.]com

supportsmsboa[.]site

t-d-online01a[.]com

t-d-online02a[.]com

t-donline07a[.]com

td-alerts[.]ddns[.]net

td-onlinebank1[.]com

td-onlinebanking03s[.]com

td-security01a[.]com

td-support01a[.]com

td[.]secure03ea-authlogon[.]com

td73banksec[.]serveftp[.]com

tdbank-login[.]secure02ea-authlogon[.]com

tdbank-online01[.]com

tdbanksupport01a[.]com

tdrauth6[.]info

test[.]authb02f[.]com

truist-help[.]me

uk[.]payments[.]netflix[.]reb-hmcr[.]site

unlock-bofa[.]com[.]

update-info-afcu[.]com

update[.]02-amazon[.]com

usaaarmysecurityaesecurity[.]com

usaahelp[.]online

usaauthymobile[.]ddns[.]net

user03-login[.]serveftp[.]com

userassistance[.]site

userbof[.]com

userhelp[.]site

verifcapitalone01a[.]com

verification[.]netflix[.]hmrt[.]site

verification[.]netflix[.]uknet[.]online

verify[.]02bofa[.]com

verify[.]04bofa[.]com

verify[.]dcu[.]us[.]t7yt[.]online

verify[.]rebate[.]barclys[.]online

verify[.]santadner[.]5tr[.]online

verify[.]santadner[.]76t[.]online

verify[.]secbf[.]com

verifyandsecure11[.]ga

verifyauth10[.]com

web2access-americafirst-support[.]line[.]pm

webdirect-rbfcu-verify[.]my03[.]com

webphoneverificationsamericafirstcuredirect[.]xxuz[.]com

wellauth2[.]com

wells-access[.]info

wells-auth091[.]com

wells-auth092[.]com

wells-auth093[.]com

wfntm[.]online

Authors

Savio Lau

Senior Staff Security Intelligence Researcher

Savio is a Security Intelligence Researcher at Lookout focusing on mobile phishing and content protection. Prior to joining Lookout, he worked as a threat researcher at Sophos for over a decade focusing on reversing and detecting Windows malware. He graduated with a Bachelor and a Masters of Applied Science, both from Simon Fraser University. He has many interests in infosec including network security, web security, malware, and spam.

Entry Type
In-Depth Analysis
Threat Type
Phishing
Discovered By
Lookout
Platform(s) Affected
All Platforms
Platform(s) Affected
In-Depth Analysis
Phishing
Lookout
All Platforms
A person with a prosthetic arm working on a computer

Identify and Prevent Threats with Lookout Threat Advisory

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell