Phishing Analysis: Roblox

Captura Visual

Información de Detección

https://robiox.com.af/games/85966125008822/Untitled-Game?privateServerLinkCode=20571888870702570683313096754436

Detected Brand

Roblox

Country

International

Confidence

100%

HTTP Status

200

Report ID

52a14b58-776…

Analyzed

2026-03-19 05:12

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1C403C872A1206C3761AFA3D6F515B70691D3E70ECB8257E2A1F863760AD9C31FD1341A
CONTENT ssdeep	768:slXB1LyzQBaguqNbygvBRB8A7F9NpBxJ8m8:slXB1LykBa1qN3Xh9NTxJ8m8

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b032338bcdcccd4d
VISUAL aHash	c7c7c3dffffffffe
VISUAL dHash	8c8f0e361a0051d4
VISUAL wHash	46c7c3c7dfff0000
VISUAL colorHash	07007000040
VISUAL cropResistant	8c8f0e361a0051d4,3803226365340a04

Análisis de Código

Risk Score 100/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Suplantación/Phishing
• Objetivo: Usuarios de Roblox
• Método: Suplantación de dominio y replicación de la interfaz de usuario
• Exfil: Desconocido, detección de envío de formularios
• Indicadores: Discordancia de dominio, javascript ofuscado, intentos de parecerse al sitio Roblox
• Riesgo: ALTO

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

/login?returnUrl=3287289277861444
https://robiox.com.af/info/blog?locale=en_us
/catalog
https://robiox.com.af/catalog?CatalogContext=1&Keyword=

📡 API Calls Detected

https://en.help.roblox.com/hc/articles/7997207259156
get
POST
GET
https://ro.blox.com/Ebh5?pid=experiencestart_mobileweb&is_retargeting=false&af_dp=
https://apis.

📤 Form Action Targets

/search

📊 Desglose de Puntuación de Riesgo

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain is a clear typo of the official Roblox domain, indicating an attempt to deceive.

Obfuscated JavaScript

The presence of obfuscated JavaScript code indicates that the site is actively trying to hide its malicious intent.

Recent Domain

The domain age is less than 90 days.

Impersonation

The site's visual design closely mimics the legitimate Roblox website, increasing the likelihood of users being deceived.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza

Banking Credential Harvester

Objetivo

Roblox users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltración

HTTP POST to backend

Evaluación de Riesgo

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
180 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand

Roblox

Official Website

https://www.roblox.com/

Fake Service

Roblox Website

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The attacker likely aims to steal Roblox account credentials through a fake login page, harvesting the information. The presence of form actions extracted points to this.

Secondary Method: Malware Distribution

The site potentially redirects the users to another page with a malicious file for download after stealing their credentials. The obfuscated Javascript might be involved in this redirection.