Update - Phishing-as-a-Service Platform Offers MFA Bypass for $1,500

It is not unknown for criminal actors to purchase kits of malware or phishing tools to streamline the process of stealing credentials. What is new is the idea of “phishing as a service”, which is akin to purchasing a monthly subscription like popular streaming services.

For a fee, someone with malicious intent can subscribe to a service and receive a ready-to-go phishing package with statistics and updates all from one place. The most notable of these is Robin Banks, just appearing last March in 2022. 

Robin Banks is a phishing-as-a-service tool selling premade phishing kits to criminals wanting to access financial information. To create an account a user will need an email and password and can only pay in bitcoin. Robin Banks claims “24//7 support” and “access to future updates” for $50 a month with full access for $200 a month.  Once in, users are prompted to design a phishing kit, designing a scam that mimics a business of their choosing. Having been active for under a year, there have already been notable changes. 

Robin Banks Switches Providers 

Just months after the release of Robin Banks, cybersecurity research team IronNet investigated and wrote a report that left them scattered. Cloudflare, the original server hosting Robin Banks services dissociated following the release of the report. The service was down for multiple days and Robin Banks switched to Russian provider DDos-Guard. The new provider happens to be known for ignoring takedown requests, making it reliable in the eyes of threat actors. With the change, ironically the service known for stealing information is stepping up its own security by adding two-factor authentication.

Two-Factor Infiltration

Multi-factor authentication (MFA) is becoming increasingly popular with nearly every major business in the last decade. Having an email or phone number to intercept password change requests and other crucial information has done well in protecting from malicious actors attempting to gain access to an account. 

Though very useful and encouraged, every company has their own variation and the success of protection dwindles as malicious hackers develop new ways to infiltrate. With their own two-factor authentication, Robin Banks has recently developed and offers a cookie-stealing feature for purchase. It uses Evilginx2, a open source framework designed to lure users to a phishing site extremely similar to official company web pages. The victim is connected to a phishing page with SSL certificates (encrypted link between a server and client) and when they log in their information is captured and sent to the phisher. Now that users' information is accessible to the hacker through Robin Banks without having to bother with two-factor. Robin Banks is offering this service for a steep $1,500 per month, much more than their previous $200 monthly fee for the rest of the service. 

Final Thoughts

Robin Banks is one of numerous phishing services to make money from desperate users of their own service and victims of the ones using their service. For their malicious intent they present themselves as a very proper business model and the newer two-factor bypass just made them a bit more valuable to its users willing to pay the hefty price. The exposure of this information is again a reminder of the importance of robust email security.