EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of roblox.com.py

Informações de Detecção

https://roblox.com.py/games/115790827621758/Game-Loader?privateServerLinkCode=92373029262230035677041060792855
Detected Brand
Roblox
Country
International
Confidence
100%
HTTP Status
200
Report ID
036e5ccc-ceb…
Analyzed
2026-01-27 23:53

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T19E13DA72A120283761AFA3D5F515B70691D3E70ECB839BE2A2F463760AD9C31FD1341A
CONTENT ssdeep
768:eHXB1ly+QtF8uB1bykQPKrvrvEZ3RkWPvBRG8AEF9NpBxJ8m8:eHXB1lybtF5B13jMpRXZ9NTxJ8m8

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b03057cece2c7569
VISUAL aHash
c7c7c3c7fffffffe
VISUAL dHash
ae1e9e1e221a31c4
VISUAL wHash
42c7c3c7ffff0000
VISUAL colorHash
07007000080
VISUAL cropResistant
ae1e9e1e221a31c4,171f1b1b17065555

Análise de Código

Risk Score 100/100
Threat Level ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Ameaça: Falsificação de jogo Roblox e kit de phishing para roubo de credenciais
• Alvo: Usuários do Roblox
• Método: Apresenta uma página falsa de jogos Roblox com potencial para roubo de credenciais por meio de formulários falsos.
• Exfil: Provavelmente está a tentar roubar as credenciais do usuário ou informações relacionadas ao jogo.
• Indicadores: Domínio não oficial (roblox.com.py), potencial para formulários falsos e imitação do site Roblox.
• Risco: ALTO - Risco de roubo de credenciais e possível comprometimento de contas Roblox.

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • hex_escape
  • unicode_escape
  • base64_strings

🎯 Kit Endpoints

  • /catalog
  • /login?returnUrl=5405063603844235
  • https://roblox.com.py/info/blog?locale=en_us
  • https://roblox.com.py/catalog?CatalogContext=1&Keyword=

📡 API Calls Detected

  • GET
  • https://en.help.roblox.com/hc/articles/7997207259156
  • get
  • POST
  • https://ro.blox.com/Ebh5?pid=experiencestart_mobileweb&is_retargeting=false&af_dp=
  • https://apis.

📤 Form Action Targets

  • /search

📊 Detalhamento da Pontuação de Risco

Total Risk Score
100/100

Contributing Factors

Active Phishing Kit
Detected Credential Harvester, OTP Stealer, Card Stealer, and Personal Info harvesting kits with real-time form interception capabilities.
Domain Impersonation
Domain 'roblox.com.py' mimics the official Roblox domain ('roblox.com') using a typosquatting technique with a country-code top-level domain (ccTLD).
Obfuscation Techniques
258 obfuscation techniques detected in JavaScript files, indicating deliberate evasion of static analysis and manual inspection.
Malicious JavaScript Files
Large JavaScript files (3.4 MB total) with no legitimate purpose, likely containing malicious payloads for credential and data harvesting.

🔬 Análise Integral de Ameaças

Tipo de Ameaça
Banking Credential Harvester
Alvo
Roblox users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltração
HTTP POST to backend
Avaliação de Risco
CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 258 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand
Roblox
Official Website
https://www.roblox.com
Fake Service
Fake Roblox game loader with private server access

⚔️ Metodologia de Ataque

Primary Method: Credential Harvesting

The phishing kit is designed to capture Roblox account credentials by presenting a fake login form. The form likely intercepts user inputs in real-time and transmits them to a remote server controlled by the attacker.

Secondary Method: Personal Information Theft

In addition to credentials, the kit includes modules for harvesting personal information such as email addresses, phone numbers, and payment details, which can be used for further exploitation or sold on underground markets.

🌐 Indicadores de Compromisso de Infraestrutura

Domain Information

Domain
roblox.com.py
Registered
Unknown
Registrar
None
Status
Age unknown

🦠 Malicious Files

Main File
File Size

Large JavaScript file containing obfuscated code for credential harvesting and personal information theft.

📊 Diagrama de Fluxo de Ataque

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake Roblox offer or alert            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM CLICKS MALICIOUS LINK                           │
│    - Redirects to fake Roblox login page                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL HARVESTING                                  │
│    - Victim enters username/password in fake form         │
│    - Form captures input                                  │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                      │
│    - Credentials sent via HTTP POST to attacker server    │
└──────────────────────────────────────────────────────────┘

🔬 JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
3,4 MB

🔗 API Endpoints Detected

Other
108

🔐 Obfuscation Detected

  • : None
  • : None
  • : Light
  • : Heavy
  • : None
  • : None
  • : Light
  • : None
  • : None
  • : Light
  • : Light
  • : Light
  • : None
  • : Light
  • : None
  • : Heavy
  • : None
  • : Heavy
  • : Heavy
  • : Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake Roblox offer or alert            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM CLICKS MALICIOUS LINK                           │
│    - Redirects to fake Roblox login page                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL HARVESTING                                  │
│    - Victim enters username/password in fake form         │
│    - Form captures input                                  │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                      │
│    - Credentials sent via HTTP POST to attacker server    │
└──────────────────────────────────────────────────────────┘

🎯 Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Roblox
https://roblox.com.ly/games/71062734985098/Untitled-Game?pri...
Mar 24, 2026

Scan History for roblox.com.py

Found 10 other scans for this domain

😰
"Nunca pensei que aconteceria comigo"
Isso dizem os 2,3 milhões de vítimas a cada ano. Não espere para ser uma estatística.