Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://roblox.com.kz/login?returnUrl=241551989
Detected Brand
Roblox
Country
International
Confidence
100%
HTTP Status
200
Report ID
28a9e2e8-457โฆ
Analyzed
2026-02-14 00:06
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T16613957164682933432B46DBF0B7AF1AB1D3C64CCA431891AAFC53ED4BDBC72E646446 |
|
CONTENT
ssdeep
|
384:XjX5LthI6lNrDuYWOfaZMWEiNu7lnEF1/1g85cgX3JUnpTSMNo4QJPGN4UJNFN4e:XjX55hBWCAuyF9yi3X+np6QPyzAdE4 |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
8c8d6ae283acb57a |
|
VISUAL
aHash
|
5b181a3b0ce2181c |
|
VISUAL
dHash
|
b3f332f2b88e3370 |
|
VISUAL
wHash
|
df191e7b0ce2183c |
|
VISUAL
colorHash
|
39401008040 |
|
VISUAL
cropResistant
|
b3f332f2b88e3370 |
Code Analysis
Risk Score
100/100
Threat Level
ALTO
โ ๏ธ Phishing Confirmed
๐ฃ Credential Harvester
๐ฃ OTP Stealer
๐ฃ Card Stealer
๐ฃ Banking
๐ฃ Personal Info
WebSocket C2
๐ฌ Threat Analysis Report
โข Threat: Phishing
โข Target: Roblox users
โข Method: Impersonation via look-alike login page
โข Exfil: Potentially user credentials (username/email/password)
โข Indicators: Suspicious domain, forms, and close visual imitation.
โข Risk: High
๐ Obfuscation Detected
- atob
- eval
- fromCharCode
- unescape
- hex_escape
- unicode_escape
- base64_strings
๐ฏ Kit Endpoints
- /login/securityNotification
- /info/blog?locale=en_us
- https://roblox.com.kz/catalog?CatalogContext=1&Keyword=
- https://www.roblox.com/NewLogin
- https://roblox.com.kz/api/login
- /login?returnUrl=241551989
- https://roblox.com.kz/develop/library?CatalogContext=2&Category=6&Keyword=
- https://www.roblox.com/login/forgot-password-or-username
๐ก API Calls Detected
- /api/ws-log.php
- https://www.google.com/ccm/geo
- GET
- POST
- https://ro.blox.com/Ebh5?pid=share&is_retargeting=true&af_dp=
๐ Risk Score Breakdown
Total Risk Score
90/100
Contributing Factors
Suspicious TLD
The .kz TLD is not common for Roblox, indicating a potential phishing attempt.
Forms Present
Login forms are a common target for phishing attacks.
Impersonation
The page closely mimics the official Roblox login page.
๐ฌ Comprehensive Threat Analysis
Threat Type
Banking Credential Harvester
Target
Roblox users (International)
Attack Method
Brand impersonation + credential harvesting forms + real-time WebSocket exfiltration + obfuscated JavaScript
Exfiltration Channel
WebSocket (1 endpoints)
Risk Assessment
CRITICAL - Automated credential harvesting with WebSocket (1 endpoints)
โ ๏ธ Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
- 292 obfuscation techniques
๐ข Brand Impersonation Analysis
Impersonated Brand
Roblox
Official Website
roblox.com
Fake Service
Login
โ๏ธ Attack Methodology
Primary Method: Credential Harvesting
The attacker aims to steal Roblox account credentials by presenting a fake login form that mimics the appearance of the legitimate Roblox login.
๐ Infrastructure Indicators of Compromise
๐ฆ Malicious Files
Main File
772034db167d3f4260047db4a7f2b8a58cf448709327013541e47c8962b6e556.js
File Size
Functions: submitForm()
๐ Attack Flow Diagram
User fills <input name='username'> โ submitForm() โ fetch('https://roblox.com.kz/api/login') โ credentials sent to server
๐ฌ JavaScript Deep Analysis
Operator Language
English (1%)
Total Code Size
1.5ย MB
๐ API Endpoints Detected
Other
30
๐ Obfuscation Detected
- : Light
- : Moderate
- : Moderate
- : None
- : None
- : Moderate
- : Light
- : None
- : None
- : None
- : Light
- : Light
- : Light
- : Light
- : Light
- : Moderate
- : Moderate
- : Heavy
- : Light
๐ค AI-Extracted Threat Intelligence
๐ Attack Flow
User fills <input name='username'> โ submitForm() โ fetch('https://roblox.com.kz/api/login') โ credentials sent to server
๐ฏ Malicious Files Identified
Main Drainer
772034db167d3f4260047db4a7f2b8a58cf448709327013541e47c8962b6e556.jsFile Size
45KB
Malicious Functions
submitForm()
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Roblox
https://robloxr.cv/login?returlUrl=7048358411
Apr 01, 2026
Roblox
https://roblox.com.kz/login?returnUrl=10314186141
Mar 31, 2026
Roblox
https://robloxt.cv/login?returlUrl=192245539
Mar 20, 2026
Roblox
http://www.roblox.com.kz/login?returnUrl=241551989
Mar 18, 2026
Roblox
https://robloxt.co/login?returlUrl=316088579
Mar 02, 2026
Scan History for roblox.com.kz
Found 10 other scans for this domain
-
http://roblox.com.kz/users/148545229/profile
http://roblox.com.kz/users/77847908/profile
http://roblox.com.kz/users/610068118/profile
http://roblox.com.kz/users/346442339/profile
http://roblox.com.kz/users/441311283/profile
http://roblox.com.kz/users/112610331/profile
http://roblox.com.kz/users/454211500/profile
http://roblox.com.kz/users/277299660/profile
http://roblox.com.kz/users/630412925/profile%60%60...
http://roblox.com.kz/users/430029405/profile
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.