A PhaaS platform, Robin Banks, offered phishing kits on the dark web

PhaaS Platform Robin Banks Phishing Kits Dark Web Malicious Websites

The latest dark web investigations spotted a phishing-as-a-service (PhaaS) platform, dubbed Robin Banks, launched by its operators to offer ready-made phishing kits that help their clients pose as financial institutions and other well-known brands to target victims.

Hackers could choose from numerous organisations offered by the PhaaS platform, including popular ones like Netflix, Capital One, Wells Fargo, Citibank, and T-Mobile. The first detected campaign of Robin Banks was in June, which victimised people through text and email messages.


Robin Banks was designed as a PhaaS platform to craft high-quality phishing sites that target the customers of large financial institutions and other well-known companies.


Interested customers could avail of the service from two different tiers – access to a single page for $50 per month and access to all pages and templates for $200 per month. Both of these tiers come with 24/7 support for the clients.

Availing of the service would give the clients a personal dashboard that displays operational reports, page creator, wallet management, and more options to design a customised phishing website. Furthermore, the clients could add CAPTCHA tools or user agent strings checker that could specifically block an individual or an entity from the campaigns.

The researchers also compared Robin Banks with two other more expensive PhaaS platforms, 16Shop and BulletProftLink, explaining that Robin Banks has a more sophisticated and user-friendly open-source CMS. Many threat actors were bought by the pros of Robin Banks, making the platform one of the most popular PhaaS services.

As spotted from a campaign, a threat actor had utilised Robin Banks to target Citibank customers through a phishing message, warning them about a suspicious transaction on their card. Once the victim reaches the phishing website that masquerades Citibank, they will be asked for sensitive details that the threat operators collect.

Two tokens from a POST request will be sent to the operators and the victim – one token for each – after the details have been provided on the phishing site forms. The operators could view all the stolen data on the platform’s dashboard.

The threats of phishing attacks would likely linger as long as threat actors continue to devise ways to propagate them. Thus, users are always warned to be wary about suspicious text and email messages they receive and ensure the legitimacy of a webpage before entering sensitive information.

About the author

Leave a Reply