2024-11-05-Roblox-phishing-campaign.txt

2024-11-05 (TUESDAY): ROBLOX PHISHING CAMPAIGN

AUTHORS:

- Peng Peng, Joey Allen

REFERENCES:

- https://www.linkedin.com/posts/unit42_phishing-activity-7260079529208000512-cUk0/
- https://x.com/Unit42_Intel/status/1854313903594848483

NOTES:

- We've identified at least 19 domains that have remain active in a phishing campaign targeting Roblox users.
- Some of these domains have been active for months or years.
- Most of these domains use various country code Top-Level Domain (TLD) names.
- These domains host phishing pages to steal Roblox account credentials.
- These pages incorporate captchas that mimic the login process to appear legitimate.
- The captchas only appear after valid Roblox login credentials are used on the phishing page.

DOMAINS FOR ROBLOX PHISHING WEBSITES:

- httpps-wvw-roblox[.]com
- https-vwww-roblox[.]com
- roblofx[.]com
- roblox[.]com[.]by
- roblox[.]com[.]hn
- roblox[.]com[.]kg
- roblox[.]com[.]kz
- roblox[.]com[.]ni
- roblox[.]com[.]sb
- roblox[.]com[.]zm
- roblox[.]et
- roblox[.]fo
- roblox[.]ge
- roblox[.]gr[.]com
- roblox[.]tg
- robloxi[.]com[.]kz
- robloxx[.]com[.]kz
- web-www-roblox[.]com
- wvyw-roblox[.]com

DOMAINS FOR SERVERS HOSTING JAVASCRIPT AND CAPTURING LOGIN CREDENTIALS:

- api.wakura[.]lu
- app.wakura[.]lu

EXAMPLE OF HTTP POST REQUEST THAT EXFILTRATES LOGIN CREDENTIALS:

- hxxps[:]//api.wakura[.]lu/v3/authentication