ROBLOX PHISHING CAMPAIGN

    Wednesday, November 6, 2024 In: Threat Research Print

    Date: 11/06/2024

    Severity: Medium

    Summary

    A Roblox phishing campaign  has been targeting users through at least 19 active domains, some of which have been running for months or even years. These domains primarily use country code top-level domains (TLDs) and host phishing pages designed to steal Roblox login credentials. The pages incorporate fake captchas that appear only after users input their valid credentials, making the scam appear legitimate.

    Indicators of Compromise (IOC) List

    URL/Domains

    roblofx.com

    robloxi.com.kz

    roblox.com.sb

    https-vwww-roblox.com

    roblox.com.hn

    roblox.com.ni

    roblox.ge

    web-www-roblox.com

    roblox.com.kz

    roblox.com.by

    wvyw-roblox.com

    roblox.tg

    roblox.com.zm

    roblox.gr.com

    httpps-wvw-roblox.com

    roblox.com.kg

    roblox.et

    roblox.fo

    robloxx.com.kz

    api.wakura.lu

    app.wakura.lu

    https://api.wakura.lu/v3/authentication

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "roblofx.com" or url like "roblofx.com" or userdomainname like "robloxi.com.kz" or url like "robloxi.com.kz" or userdomainname like "roblox.com.sb" or url like "roblox.com.sb" or userdomainname like "https-vwww-roblox.com" or url like "https-vwww-roblox.com" or userdomainname like "roblox.com.hn" or url like "roblox.com.hn" or userdomainname like "roblox.com.ni" or url like "roblox.com.ni" or userdomainname like "roblox.ge" or url like "roblox.ge" or userdomainname like "web-www-roblox.com" or url like "web-www-roblox.com" or userdomainname like "roblox.com.kz" or url like "roblox.com.kz" or userdomainname like "roblox.com.by" or url like "roblox.com.by" or userdomainname like "wvyw-roblox.com" or url like "wvyw-roblox.com" or userdomainname like "roblox.tg" or url like "roblox.tg" or userdomainname like "roblox.com.zm" or url like "roblox.com.zm" or userdomainname like "roblox.gr.com" or url like "roblox.gr.com" or userdomainname like "httpps-wvw-roblox.com" or url like "httpps-wvw-roblox.com" or userdomainname like "roblox.com.kg" or url like "roblox.com.kg" or userdomainname like "roblox.et" or url like "roblox.et" or userdomainname like "roblox.fo" or userdomainname like "robloxx.com.kz" or url like "robloxx.com.kz" or userdomainname like "api.wakura.lu" or url like "api.wakura.lu" or userdomainname like "app.wakura.lu" or url like "app.wakura.lu" or userdomainname like "https://api.wakura.lu/v3/authentication" or url like "https://api.wakura.lu/v3/authentication"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-05-Roblox-phishing-campaign.txt 


    Tags

    MalwarePhishingRobloxCredentialTheftTLDCredential Harvesting

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.