New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo

Emails over a keyboard with a hook in them

A new phishing as a service (PhaaS) platform named ‘Robin Banks’ has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services.

The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander.

Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts.

According to a report by IronNet, whose analysts discovered the new phishing platform, Robin Banks is already being deployed in large-scale campaigns that started in mid-June, targeting victims via SMS and email.

Emergence of Robin Banks

Robin Banks is the new project of a cybercrime group believed to be active since at least March 2022, created for quickly crafting high-quality phishing pages to target customers of large financial organizations.

It is sold in two price tiers, one offering single pages and 24/7 support for $50 per month, and another is giving unlimited access to all templates and 24/7 support for $200 per month.

The log in screen on the platform's clearnet siteThe login screen on the platform’s clearnet site

Upon registration, threat actors receive a personal dashboard containing reports about their operations, easy page creation, wallet management, and options to create custom phishing sites.

The Robin Banks dashboardThe Robin Banks dashboard (IronNet)

The platform also gives users options like adding reCAPTCHA to thwart bots or checking user agent strings to block specific victims from highly-targeted campaigns.

Selecting a target bank for phishingSelecting a target bank for phishing (IronNet)

“The Robin Banks website has a more sophisticated yet user-friendly webGUI than 16Shop and BulletProftLink — two well-known phishing kits that are also notably more expensive than Robin Banks as well,” comments IronNet in the report.

Also, the new PhaaS platform is constantly adding new templates and updating the old ones to reflect the targeted entities’ style and color scheme changes.

These advantages have made Robin Banks popular in the cybercrime space, and many cybercriminals have adopted it in the past couple of months.

An active campaign

In one campaign spotted by IronNet last month, an operator of Robin Banks targeted customers of Citibank via SMS that warned them about “unusual usage” of their debit card.

Smishing message sent to random targetsSmishing message sent to random targets (IronNet)

The provided link to lift the alleged security limitations takes victims to a phishing page where they are requested to enter their personal details.

Upon landing on the phishing site, the victim’s browser is fingerprinted to determine if they’re on desktop or mobile, and the appropriate web page version is loaded.

Once the victim enters all the required details on the form fields of the phishing site, a POST request is sent to the Robin Banks API, containing two unique tokens, one for the campaign operator and one for the victim.

POST request to transfer the stolen dataPOST request to transfer the stolen data (IronNet)

The phishing site sends one POST request for each web page the victim fills out, which works as a fail-safe to steal as many details as possible since the phishing process may stop at any time due to suspicion or other reasons.

All data sent to the Robin Banks API is viewable from the platform’s webGUI for both the operator and the platform administrators.

Robin Banks also gives the option to forward stolen details to the operator’s personal Telegram channel for convenience.


The emergence of a new high-quality PhaaS platform isn’t favorable for internet users, as it promotes phishing to low-skill cybercriminals and augments the bombardment of tricky messages.

To keep yourself safe from these malicious attempts, never click on links sent via SMS or email, and always confirm the website you’ve landed on is the official one.

Finally, enable 2FA on all your accounts and use a private phone number to receive the one-time passwords.


Related posts

The Week in Ransomware – October 14th 2022 – Bitcoin Trickery

Sarah Henriquez

Automotive supplier breached by 3 ransomware gangs in 2 weeks

Sarah Henriquez

Wazuh – The free and open source XDR platform

Sarah Henriquez

Leave a Comment