Phishing Analysis: Roblox

Visual Capture

Detection Info

http://www.roblox.com.kz/users/316088579/profile/

Detected Brand

Roblox

Country

International

Confidence

100%

HTTP Status

200

Report ID

0009e7a2-ac9…

Analyzed

2026-01-25 23:55

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T19593B8B29251243320BFB1D5F1297709A2D3D74EC68287D1E2FCA36B1ED6CA1F817856
CONTENT ssdeep	1536:u8QXWnSravouOssorJBPmzzXXMd6MiucCOK:1QXWdvouOOTmzzXXMd6M1cCOK

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b31363936ccccc9c
VISUAL aHash	0000e3dbffffffc3
VISUAL dHash	c8c80e3638002606
VISUAL wHash	000042c3dfffdfc3
VISUAL colorHash	07200008280
VISUAL cropResistant	c8c80e3638002606,46c6073f5d2d33f1

Code Analysis

Risk Score 100/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Credential harvesting phishing kit
• Target: Roblox users
• Method: Fake login form stealing user credentials
• Exfil: Data sent via JavaScript form submission
• Indicators: Unusual TLD, obfuscated JavaScript, domain mismatch
• Risk: HIGH - Immediate credential theft

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
hex_escape
unicode_escape
js_packer
base64_strings

🎯 Kit Endpoints

https://www.roblox.com/info/blog?locale=en_us
/catalog
/login?returlUrl=316088579
https://www.roblox.com/catalog?CatalogContext=1&Keyword=
/login?returnUrl=

📡 API Calls Detected

GET
https://apis.
POST
get
https://help.roblox.com/hc/articles/30428367965460
https://ro.blox.com/Ebh5?

📤 Form Action Targets

/search

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester, OTP Stealer, Card Stealer, and Personal Info kits with real-time form interception capabilities.

Domain Impersonation

Domain www.roblox.com.kz mimics the official Roblox domain (roblox.com) using a misleading TLD (.kz) and subdomain structure.

Obfuscation Techniques

824 obfuscation techniques detected in JavaScript files, indicating deliberate evasion of static analysis.

Malicious JavaScript Payload

Three large JavaScript files (total 3.77 MB) with no legitimate functionality identified, consistent with credential harvesting and data exfiltration.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

Roblox users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
824 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Roblox

Official Website

https://www.roblox.com

Fake Service

Fake Roblox user profile and login portal

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing page presents a fake Roblox login form with 'Email' and 'Password' fields. Submitted credentials are intercepted in real-time via JavaScript and exfiltrated to an attacker-controlled server for account takeover.

Secondary Method: Personal Information Theft

Additional form fields or prompts may be dynamically loaded to capture personal details such as full name, date of birth, or payment information, enabling further fraud or identity theft.