Robin Banks, not a who but a what, is a phishing-as-a-service (PhaaS) platform that IronNet researchers discovered in March this year.1 Many may have thought associated risks were done and over with when Cloudflare shut down pages connected to the threat in July. But that wasn’t the case since Robin Banks reemerged just this month.2
Using the 17 indicators of compromise (IoCs) IronNet publicized in its two reports, we sought to identify more artifacts that may be weaponized in future attacks. Our deep dive revealed:
- 300+ domains containing specific strings found among the IoCs—“securebofa,” “verify-fargo,” “robinbanks,” “ironpages,” “9dumbdomain,” “ironnet,” “suncoastportal,” “truistclientauth,” “authchecks,” and “robinbnks”
- 10 unredacted registrant email addresses from the artifacts’ WHOIS records
- 10,000+ domains that shared the artifacts’ registrant email addresses
- 300+ IP resolutions of the domains that shared the artifacts’ registrant email addresses, three of which were found malicious
- 1,200+ domains that shared the artifacts’ IP hosts
- 16 malicious domains from among the 11,000+ artifacts found
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
—
- [1] https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform
- [2] https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2