A phishing-as-a-service (PhaaS) platform known as Robin Banks has relocated its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services.
The switch comes after “Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations,” according to a report from cybersecurity company IronNet.
Robin Banks was first documented in July 2022 when the platform’s abilities to offer ready-made phishing kits to criminal actors were revealed, making it possible to steal the financial information of customers of popular banks and other online services.
It was also found to prompt users to enter Google and Microsoft credentials on rogue landing pages, suggesting an attempt on part of the malware authors to monetize initial access to corporate networks for post-exploitation activities such as espionage and ransomware.
In recent months, Cloudflare’s decision to blocklist its infrastructure in the wake of public disclosure has prompted the Robin Banks actor to move its frontend and backend to DDoS-Guard, which has in the past hosted the alt-tech social network Parler and the notorious Kiwi Farms.
images from Hacker News