Phishing Analysis: Roblox

Visual Capture

Detection Info

https://robiox.com.af/games/85966125008822/Untitled-Game?privateServerLinkCode=20571888870702570683313096754436

Detected Brand

Roblox

Country

International

Confidence

100%

HTTP Status

200

Report ID

52a14b58-776…

Analyzed

2026-03-19 05:12

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1C403C872A1206C3761AFA3D6F515B70691D3E70ECB8257E2A1F863760AD9C31FD1341A
CONTENT ssdeep	768:slXB1LyzQBaguqNbygvBRB8A7F9NpBxJ8m8:slXB1LykBa1qN3Xh9NTxJ8m8

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b032338bcdcccd4d
VISUAL aHash	c7c7c3dffffffffe
VISUAL dHash	8c8f0e361a0051d4
VISUAL wHash	46c7c3c7dfff0000
VISUAL colorHash	07007000040
VISUAL cropResistant	8c8f0e361a0051d4,3803226365340a04

Code Analysis

Risk Score 100/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Impersonation/Phishing
• Target: Roblox users
• Method: Domain spoofing and UI replication
• Exfil: Unknown, form submission detected
• Indicators: Domain mismatch, obfuscated javascript, attempts to look like the Roblox site
• Risk: HIGH

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

/login?returnUrl=3287289277861444
https://robiox.com.af/info/blog?locale=en_us
/catalog
https://robiox.com.af/catalog?CatalogContext=1&Keyword=

📡 API Calls Detected

https://en.help.roblox.com/hc/articles/7997207259156
get
POST
GET
https://ro.blox.com/Ebh5?pid=experiencestart_mobileweb&is_retargeting=false&af_dp=
https://apis.

📤 Form Action Targets

/search

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain is a clear typo of the official Roblox domain, indicating an attempt to deceive.

Obfuscated JavaScript

The presence of obfuscated JavaScript code indicates that the site is actively trying to hide its malicious intent.

Recent Domain

The domain age is less than 90 days.

Impersonation

The site's visual design closely mimics the legitimate Roblox website, increasing the likelihood of users being deceived.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

Roblox users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
180 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Roblox

Official Website

https://www.roblox.com/

Fake Service

Roblox Website

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker likely aims to steal Roblox account credentials through a fake login page, harvesting the information. The presence of form actions extracted points to this.

Secondary Method: Malware Distribution

The site potentially redirects the users to another page with a malicious file for download after stealing their credentials. The obfuscated Javascript might be involved in this redirection.