© 2025 Eagle Eye Technology.

Navigating the Treacherous Waters of Phishing: The Rise of Robin Banks PhaaS

In the constantly evolving cyber threat landscape, a new contender has emerged, posing a significant risk to financial and cryptocurrency services.

Dubbed Robin Banks, this Phishing as a Service (PhaaS) platform has been on the radar of cybersecurity experts since its discovery by IronNet in July 2022.

Despite a period of relative obscurity since November 2022, recent findings by Lookout have unveiled a resurgence of phishing activities, with a concerning pivot towards targeting cryptocurrency services.

The Modus Operandi of Robin Banks

Robin Banks distinguishes itself by primarily targeting global banking institutions through sophisticated SMS and email phishing campaigns.

Initially leveraging Cloudflare for proxy services, the platform was compelled to switch to DDoS Guard following its exposure.

A notable feature of Robin Banks is its capability to bypass two-factor authentication (2FA) using evilginx2 Actor-in-the-Middle (AitM) techniques, significantly enhancing the potency of its phishing attacks.

The Evolution and Adaptation

Following a brief hiatus post-February 2023, the trail of Robin Banks seemed cold, with content domains becoming non-resolvable and previous infrastructure going dark.

However, the shift from reCaptcha to hCaptcha in August 2022 marked the beginning of its retooling efforts, making automated analysis increasingly challenging.

Renewed Activities and New Tactics

Recent investigations have unearthed the latest Robin Banks phishing pages, revealing new PHP file names that serve as indicators of compromise (IoCs).

The transition to hosting on platforms like Google Cloud and DigitalOcean, and later to Orange Romania, indicates a strategic shift in the infrastructure to evade detection.

The focus has now broadened to include cryptocurrency services like Coinbase, indicating an alarming expansion of its target spectrum.

The Technical Nuances

The phishing kit’s sophistication is evident in its use of hCaptcha to deter automated analysis and its AiTM proxy capabilities for capturing user-entered MFA tokens.

An intriguing discovery was a non-protected, seemingly defunct Robin Banks phishing site, providing a rare glimpse into the backend live panel of the phishing kit.

This backend access revealed functionalities for managing captured credentials and actions for 2FA capture, underscoring the hands-on approach required by the operators to exploit victims’ active login sessions.

The Ongoing Threat and Countermeasures

The persistence of Robin Banks activities, as recent as September 2023, underscores the dynamic nature of phishing threats and the continuous efforts by threat actors to innovate and adapt.

The reliance on live operators for the phishing kit indicates that Robin Banks continues to be a service model, with MFA bypass emerging as a critical component in the attack chain.

For organizations and individuals alike, staying vigilant and informed about the evolving tactics of phishing operations like Robin Banks is crucial.

Implementing robust cybersecurity measures, fostering awareness about phishing techniques, and encouraging a culture of security can help mitigate the risks posed by such sophisticated phishing campaigns.

Conclusion

The resurgence of Robin Banks serves as a stark reminder of the perpetual arms race in cybersecurity.

As threat actors refine their strategies, the collective efforts of the cybersecurity community become ever more vital in safeguarding the digital frontier.

Indicators of Compromise

A known list of Robin Banks PhaaS domains with the latest php names are listed at the end of the document. As well, some of the known IP addresses hosting the domains are:

34.168.100[.]202 (Google)

34.168.242[.]7 (Google)

34.172.242[.]32 (Google)

81.28.6[.]5 (Kamatera Inc)

109.122.221[.]135 (Orange Romania)

109.122.221[.]156 (Orange Romania)

103.212.81[.]230 (Orange Romania)

167.71.203[.]211 (DigitalOcean)

139.59.108[.]187 (DigitalOcean)

klsnew[.]php domain list

servicecu-verif01a[.]com

usr-mfa-coinbse[.]com

recrovrcoinbase-help[.]com

coinbase-profile00[.]com

coinbase-profile0[.]com

servicecreditunion02a[.]com

coinbase-usrrecovrg[.]com

bfcu01a[.]com

servicecu03a[.]com

servicecu-verif01a[.]com

klssza[.]php domain list


02auth-bankofamerica[.]com

03auth-bankofamerica[.]com

03secureboalogin1[.]com

05securedboalogin1a[.]com

1auth09re-enable-americafirst[.]my03[.]com

1bofasecured[.]us

3login-info[.]serveusers[.]com

53-2fa[.]us

53-signin[.]com

7a-bankofamerica[.]com

access-3312t7zr94145[.]online-case-1b[.]org

access-6865xia0s8665[.]verifyhub-19c[.]cc

account-53rd[.]com

afcu-onlinebanking01[.]com

afcu-onlinebanking02[.]com

afcu[.]25u[.]com

aidme-citizensbnk23[.]com

aidme-santanderbnk[.]com

alert-authrbfcu[.]com

alrt-tr3ist[.]info

americafirst-onlinebanking08c[.]com

americafirst[.]secure02ea-authlogon[.]com

americafirst[.]secure03ea-authlogon[.]com

americafirst[.]secure04ea-authlogon[.]com

americafirstrouting[.]misecure[.]com

amerlca-fcu[.]com

amzon-service05a[.]com

approvedsms[.]online

auth[.]02bofa[.]com

auth[.]bof05[.]com

auth[.]nfix[.]online

auth03nfcu[.]org

auth06-web2access-americafirst[.]my03[.]com

auth07cit[.]com

authb02f[.]com

authmobilejp[.]ddns[.]net

authsantander1portal[.]com

authsectd08f[.]info

authyjpmobile01[.]ddns[.]net

autorization[.]santanderr[.]co[.]76t[.]online

autorization[.]tdbank[.]co[.]1t3[.]homes

banking[.]santader[.]us[.]76t[.]online

banking[.]santandr[.]co[.]1t7[.]online

bankofamerica-activity[.]com

bankofamerica-mobile02[.]com

bk[.]aidme-citizensbnk23[.]com

bnacr[.]online

bnk-en[.]aidme-citizensbnk23[.]com

boaverifyuser88[.]com

bofa-administrator01[.]com

bofa4cardlogin8m[.]ddns[.]net

cap88tlluser[.]com

capitalone-onlinebanking01c[.]com

capitalone-onlinebanking08a[.]com

capitalone-verify[.]com[.]8nf[.]site

cfo4huqkbfgh84tqgeg0[.]aidme-santanderbnk[.]com

cfo8atikbfgh84ttl6l0[.]aidme-santanderbnk[.]com

changes-alerts[.]live

chase-07secure[.]com

chase03a-security[.]com

cirvipe43[.]dns[.]army

cit-health[.]online

citi03auth[.]com

citiupdate[.]online

citizens-authorized[.]ddns[.]net

citizensbanksecure01[.]com

client-authrgs[.]com

client-navyfederal[.]ddns[.]net

client-rbfcu[.]org

confrimation[.]santanderr[.]co[.]76t[.]online

confrimation[.]santanderr[.]us[.]76t[.]online

cufcrb[.]online

dcuaccount-auth[.]ddns[.]net

dcuonline-auth[.]ddns[.]net

dcuonline-verify[.]ddns[.]net

desa2[.]cf

desconc[.]cf

eqfnjefjqjfjn19[.]misecure[.]com

fillchase-enquiry[.]lat

golden1-fcuonline01a[.]com

golden1-reports01a[.]com

help-client-prompt[.]online

helpservicesasb[.]com

helpservicesiccu[.]com

hsbc-uk-live01a[.]com

huntington-online01a[.]com

improvedaccount8214211[.]vantechddns[.]com

iog[.]authb02f[.]com

jimmyicon[.]com

jp-signin-morgan[.]com

jponetimeauth01[.]ddns[.]net

ldentifyme-rbfcu[.]com

ldentlfyme-rbfcu[.]com

login-thebankofamerica[.]com

macusupport[.]com

mobiledcuauth01[.]ddns[.]net

mobilejpsecure[.]ddns[.]net

mobileusbnkauth01[.]ddns[.]net

mtbank-us[.]info

my[.]capitalone[.]comm[.]sncu[.]us

my[.]td-bank[.]comm[.]5yt[.]lol

my[.]td-bank[.]comm[.]h9s[.]online

myusaaclient[.]ml

navyfederal-auth[.]ddns[.]net

navyfederal-protect[.]ddns[.]net

navyfederal-safe[.]ddns[.]net

netfixsecurity02a[.]com

netflix-renewsub[.]com

netflix[.]ca[.]nl0[.]site

nfix[.]online

online-santander01a[.]com

online-santander02a[.]com

online-verlfy[.]info

onlinebanking[.]secbof[.]com

onlinebanking01v-americafirst[.]com

ourverified-helper[.]online

partalvsantanderauth2[.]com

phoneverification-afcu[.]dns-dns[.]com

portalv1santanderauth[.]com

portalv3santanderonline[.]com

rbbfcu-portal[.]com

rbfcu-signverify[.]com

rbfcuverify[.]in

rbfcuverify[.]info

rbfcuverifyteam[.]info

re-gions08a[.]com

review[.]02-amazon[.]com

reviewauth-nrbfcu[.]com

rolbsantanderportalv31[.]ns01[.]us

rsnetflix[.]com

s9845[.]secure-29s[.]is

safe02[.]info

safeams[.]chbas[.]info

santander-auth0a[.]ddns[.]net

santandercare02a[.]com

sec-bofauser02[.]com

sec03hsbc[.]com

sec05verify-americafirst[.]my03[.]com

sec07-authoa[.]com

sec09auth-2re-enable-america1st[.]my03[.]com

sec0userid[.]com

sec75-citiauth[.]com

secure-06site[.]tk

secure-53[.]com

secure-authoo1[.]com

secure[.]02bofa[.]com

secure[.]04bofa[.]com

secure[.]account[.]nt-ku[.]online

secure[.]chase[.]us[.]1w11[.]lol

secure[.]chase[.]us[.]5t7[.]online

secure[.]dcu[.]org[.]7yt7[.]online

secure[.]dcu[.]us[.]t7yt[.]online

secure[.]santandder[.]co[.]tw24[.]lol

secure[.]santanderss[.]co[.]6ty[.]lol

secure[.]santanderss[.]co[.]try4[.]homes

secure[.]santandrer[.]us[.]76t[.]online

secure[.]santandrer[.]us[.]7y6[.]online

secure[.]td[.]co[.]t57[.]lol

secure[.]td[.]us[.]4t3[.]homes

secure[.]userbof[.]com

secure[.]verf[.]hb-sc[.]info

secure[.]verify[.]uk[.]h-bs-c[.]info

secure01a-chase-onlines1[.]com

secure01a-chase-onlines2[.]com

secure02ea-chase-security[.]com

secure03-1captialverify[.]com

secure03-user[.]tk

secure03hsbc[.]com

secure04ea-chase[.]com

secure05hsbc[.]com

secure05loginbofa[.]com

secure0675-online-verlfication[.]info

secure08-wells[.]online

secure09-americafirst[.]my03[.]com

secure101ea-chase[.]com

secure11-verifauth03[.]com

secure125ea-chase[.]com

secure153ea-chase[.]com

secure4-1capitaloneauth[.]com

secure4-5chaseauth8[.]com

secure41-verifauth6[.]com

secure5-9verifauth[.]com

secure7-3verifychase[.]com

secure73chase-auth[.]com

secure83ea-chase[.]com

secure84ea-chase[.]com

securebofa[.]x24hr[.]com

securecitiupdate0[.]ddns[.]net

secured016[.]servehttp[.]com

secured01bofa[.]us

securednavyfcu011[.]ddns[.]net

securedpnc011[.]ddns[.]net

securedportal-confirmationlink[.]com

secureduserror01[.]redirectme[.]net

securee[.]santanderr[.]t-d-bk[.]live

securejpmobile01[.]ddns[.]net

securelink-bamkofamerica[.]com

securemobilejp[.]hopto[.]org

securenavy011[.]myftp[.]org

secureverify5[.]com

securewells[.]in

securex5web[.]com

securitybofa-help[.]com

securitybofa03e[.]com

serv03-user[.]serveusers[.]com

server-rbfcuauth[.]com

signwebin[.]com

sms-phoneverification[.]dns-dns[.]com

smsapproval[.]online

smsrecovery[.]online

sslv5prosantanderlvl1[.]publicvm[.]com

static-usaa01[.]com

support[.]1afcusms[.]site

support[.]bellco[.]0rg[.]1t4[.]online

support[.]chase[.]us[.]5t7[.]online

support[.]santandrer[.]us[.]5tr[.]online

supportchas-e3n[.]com

supportl0ginc5[.]com

supportsmsboa[.]site

t-d-online01a[.]com

t-d-online02a[.]com

t-donline07a[.]com

td-alerts[.]ddns[.]net

td-onlinebank1[.]com

td-onlinebanking03s[.]com

td-security01a[.]com

td-support01a[.]com

td[.]secure03ea-authlogon[.]com

td73banksec[.]serveftp[.]com

tdbank-login[.]secure02ea-authlogon[.]com

tdbank-online01[.]com

tdbanksupport01a[.]com

tdrauth6[.]info

test[.]authb02f[.]com

truist-help[.]me

uk[.]payments[.]netflix[.]reb-hmcr[.]site

unlock-bofa[.]com[.]

update-info-afcu[.]com

update[.]02-amazon[.]com

usaaarmysecurityaesecurity[.]com

usaahelp[.]online

usaauthymobile[.]ddns[.]net

user03-login[.]serveftp[.]com

userassistance[.]site

userbof[.]com

userhelp[.]site

verifcapitalone01a[.]com

verification[.]netflix[.]hmrt[.]site

verification[.]netflix[.]uknet[.]online

verify[.]02bofa[.]com

verify[.]04bofa[.]com

verify[.]dcu[.]us[.]t7yt[.]online

verify[.]rebate[.]barclys[.]online

verify[.]santadner[.]5tr[.]online

verify[.]santadner[.]76t[.]online

verify[.]secbf[.]com

verifyandsecure11[.]ga

verifyauth10[.]com

web2access-americafirst-support[.]line[.]pm

webdirect-rbfcu-verify[.]my03[.]com

webphoneverificationsamericafirstcuredirect[.]xxuz[.]com

wellauth2[.]com

wells-access[.]info

wells-auth091[.]com

wells-auth092[.]com

wells-auth093[.]com

wfntm[.]online

 

References:

https://www.lookout.com/threat-intelligence/article/robin-banks-phishing?utm_medium=email&utm_source=newsletter&mkt_tok=MDUxLUVTUS00NzUAAAGQ-CQtOk8hjF-zfgZPhf3a5b1XK3L4x8BlJUqqWtNS8N6SqqSP6v9Wk2b5RXxPKxceb7NaylzI_TSLmRJfeic2yy23SQbXiVCIdTVnncJZdfT_KP4

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

Recent Comments

Categories