You may be wondering who Robin Banks is, but you should instead ask what Robin Banks is.

Robin Banks is a phishing-as-a-service (PhaaS) platform that first surfaced in March this year. The name is a play on the phrase “robbing banks,” coined by IronNet researchers who introduced the malicious platform to the world.

Despite Cloudflare’s efforts to shut down pages connected to the threat soon after its exposure in July, Robin Banks’s operators have seemingly reemerged just this month. IronNet has made 17 indicators of compromise (IoCs) known via its two reports so far. But could other artifacts be weaponized to pose even greater dangers to online banks and their customers worldwide?

WhoisXML API researchers sought to find out through a deep dive aided by WHOIS, IP, and DNS intelligence. Here’s a list of our key findings:

• 367 domains containing specific strings found among the IoCs—“securebofa,” “verify-fargo,” “robinbanks,” “ironpages,” “9dumbdomain,” “ironnet,” “suncoastportal,” “truistclientauth,” “authchecks,” and “robinbnks”
• 10 unredacted registrant email addresses from the possibly connected domains’ WHOIS records
• 10,101 domains that shared the artifacts’ registrant email addresses
• 348 IP resolutions of the domains that shared the artifacts’ registrant email addresses, three of which were found malicious
• 1,229 more domains that shared the artifacts’ IP hosts
• 16 malicious domains from among the 11,385 potentially connected web properties found

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Robin Banks: Robbing Banks for Months Now

IronNet researchers identified U.S., U.K., Canadian, and Australian online banking customers as Robin Banks targets in its reports. Apart from trailing their sights on victims’ banking credentials, the threat actors also aimed to collect users’ Microsoft and Google username-password combos using phishing pages and cookie stealers.

Online banking customers have since been warned to steer clear of 17 IoCs—14 domains and three IP addresses. The table below shows the complete list.

What Our Robin Banks Deep Dive Uncovered

While the IoCs IronNet identified seem to have been disabled, our Domains & Subdomains Discovery search for additional artifacts uncovered 367 domains that shared identifiable strings the domain IoCs used—“securebofa,” “verify-fargo,” “robinbanks,” “ironpages,” “9dumbdomain,” “ironnet,” “suncoastportal,” “truistclientauth,” “authchecks,” and “robinbnks.”

A bulk WHOIS lookup for the 300+ additional domains revealed that 10 had unredacted registrant email addresses. Using these as historical reverse WHOIS search strings led to the discovery of 10,101 more domains.

A bulk IP geolocation lookup for the 10,000+ additional artifacts allowed us to find 348 other possibly connected IP addresses, three of which—198[.]185[.]159[.]145, 3[.]64[.]163[.]50, and 3[.]130[.]204[.]160—were dubbed “malware hosts” by various malware engines.

Our analysis unveiled a total of 11,385 possibly connected domains via string usage, registrant email address, and IP hosts.

Screenshot lookups for a few of these web properties yielded interesting results—clear signs that users should refrain from accessing suspicious websites like those shown below.

The first screenshot on the left-hand side seems to be riding on the brand of the U.S.-based lending company Point or Lending Point. We didn’t find any company website named “Point Loan.” The second screenshot on the left, meanwhile, could be mimicking Medius, a provider of invoicing solutions in North America. Each row of sites didn’t share the same WHOIS details. It’s quite possible, therefore, for visitors who enter their credentials to unknowingly hand them over to phishers or other fraudsters.

A bulk malware check for the 11,385 possibly connected domains identified 16 malicious properties, including:

• securebofa[.]co
• wwwsecurebofavzla[.]site
• verify-fargoaccess-now[.]ru
• bankofamerica1fraudalerts[.]com
• the-bankofamerica[.]com
• bankofamerica-evaluation[.]com
• 0-0-0-0-0-0-0-0-0-0[.]com
• aquait[.]org

Note the presence of legitimate business brands Wells Fargo and Bank of America in the malicious domains. Customers of these financial organizations should particularly be wary of Robin Banks PhaaS users. Despite the presence of the names of two of the most popular phishing targets in most of the malicious domains, only half currently belonged to them despite their longer history of being owned by likely nonemployees or even affiliates.

If this Robin Banks IoC expansion is any indication, organizations can drastically improve their cybersecurity posture through constant monitoring of even potentially connected artifacts. Without conducting our in-depth analysis, for instance, we wouldn’t have been able to identify malicious web properties—three IP addresses and 16 domains—other than those IronNet already publicized.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.