This new Phishing-as-a-Service scheme targets employees of major financial institutions; from Bank of America to Santander. The most damaging campaigns have been active since June of this year, although operations seem to have started in March. Customers of the ‘Robin Banks’ platform have netted as much as $500,000.

Why the popularity

A rising cyber crime syndicate has determined that it’s simpler to sell phishing kits than to teach individual cyber criminals how to lure in victims. The group behind the ‘Robin Banks’ Phishing-as-a-Service platform charges as little as $50.00 per month. More sophisticated tools are available for $200.00 per month, and come with online support.

Robin Banks has gained an influx of new customers in recent months, partially fueled by the group’s dedication to and consistency in updating phishing templates. Cyber criminals can select from an extensive library of brands to impersonate, including at least 7 different large banks as well as Google, Microsoft, Netflix and T-Mobile.

A recent campaign

Last month, one campaign that leveraged the Robin Banks Phishing-as-a-Service kits targeted Citibank customers via text message. The text warned customers about “unusual usage” of their debt cards. The link included within the message takes victims to a phishing page, where a portal asks them to enter their banking credentials.

Technical details

After the victim enters the requested details in the form fields, a POST request is submitted to the Robin Banks API. This contains two unique tokens. One is for the campaign operator and one for the victim.

The phishing site sends one POST request for every web page into which the victim adds data, and works as a fail-safe to steal as many personal details as possible, since the phishing process may stop at any type due to user suspicion or for other reasons.

All data submitted to the Robin Banks API is viewable from the platform’s webGUI for operators and platform admins alike. For convenience, Robin Banks also gives cyber criminals the option to forward stolen details to the operator’s personal Telegram channel.

Robin Banks

The operators’ motives are transparent. The makers of Robin Banks aim to assist lower level cyber criminals in literally robbing banks – digitally removing the money from the digital vaults. Recent Robin Banks-based attacks have affected financial institutions located in the US, Canada, the United Kingdom and Australia.

Further thoughts

For businesses and individuals, the emergence of new high-quality Phishing-as-a-Service platforms isn’t good news. It promotes phishing among low-skill cyber criminals and is expected to increase volumes of deceptive text and email messages.

To stop the persistent onslaught of email-based threats, organizations are strongly encouraged to implement email security that’s powered by artificial intelligence. This can stop phishing attacks before they even reach employee inboxes.

When seeking out a new email security provider, select a vendor with a high catch rate and easy security deployment. For more email security insights from CyberTalk.org, see our past coverage.

To receive more timely cyber security best practices, news, reports and analyses, please sign up for the cybertalk.org newsletter.