The ever-evolving world of cybercrime has given birth to a disturbing phenomenon – Phishing-as-a-Service (PhaaS), and one name that sends shivers down the spines of cybersecurity experts is Strox.
The tale of Strox begins in the first half of 2022 when Fortra, a cybersecurity organization, first detected a surge in fraudulent activities stemming from various PhaaS operations.
These services serve as a one-stop-shop for cybercriminals, offering everything from advanced phishing kits to hosting services, mail spam scripts, and even a marketplace for selling stolen credentials.
Strox, or Strox[.]su or Strox Pages, is a standout player in the PhaaS landscape. This dangerous platform has operated since June 2021, initially imitating eleven US financial institutions.
However, Fortra’s investigations revealed a more extensive history, with Strox-linked campaigns dating back to November 2021.
What sets Strox apart is its customization feature. It allows cybercriminals to create phishing campaigns targeting any brand by editing images and text, making it a versatile tool for fraud actors.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The Phishing Kits
A cornerstone of Strox’s operation is its collection of phishing kits. However, it’s important to note that many of these kits are not original creations by Strox.
Instead, they modify popular phishing kits to incorporate advanced live phishing features. Spotting Strox indicators in phishing URLs may not confirm that the attack is directly linked to the service.
Currently, Strox offers twelve phishing kits, each priced at $90 USD. Purchasing equipment includes a unique API key, guaranteeing the buyer ongoing development and updates, including content and antibot information.
Customers can preview demo phishing pages before making their selection. What’s striking is the auto-translation feature, ensuring the phishing content aligns with the victim’s browser language, covering over 230 languages.
Real-time Phishing Operations
One of the key features of Strox’s offering is the real-time admin panel that allows threat actors to control and monitor their attacks.
This live panel provides insights into how many people view the phishing content and their actions.
It’s also employed in man-in-the-middle attacks to obtain two-factor authentication codes and bypass additional security checks.
Notably, when threat actors are unavailable to monitor the attacks, they can set them to a dormant state to avoid detection during unproductive times.
Strox also handles the exfiltration of stolen credentials through a centralized Telegram bot, ensuring encrypted communication and providing a marketplace for selling these ill-gotten credentials.
Strox stands out by offering to set up hosting infrastructure for its users, a service that most other PhaaS platforms do not provide.
They offer bulletproof hosting of a cPanel installation for $3 a day, with features like a 30-day “No ‘Red Flag’ Guarantee,” unlimited bandwidth, DDoS protection, and HTTPS SSL Certification.
However, Strox remains hands-off regarding domain registration, requiring users to register their domains to avoid detection from anti-phishing processes.
The choice of a “bulletproof” host has evolved over time. Initially, Strox used VPS installations on Digital Ocean servers.
By the fourth quarter of 2022, they had shifted to Ponytech, FranTech Solutions, and Russian provider Dolgova Alena Andreevna.
In 2023, some Strox servers have been discovered behind CloudFlare’s DDoS protection services, while others continue to use hosting providers from 2022.
Phishing Made Easy with Strox
Strox aspires to be a one-stop shop for phishing threat actors.
They offer various materials to facilitate phishing campaigns, including phishing email lures, target email lists, and PHP mailing scripts ready to be installed on Strox cPanel setups.
They even provide more advanced SMS phishing services, allowing smishing lures to be sent to victims in the United States and Canada across all carriers.
What’s alarming is the pattern of increased Strox-linked phishing campaigns during the second quarter of each year.
Strox has celebrated its anniversaries in both June 2022 and 2023 with sales events.
Fortra has noticed heightened campaign activity in the months preceding and following these anniversaries, indicating a potential relationship between the sales and cyberattacks.
The rise of Strox illustrates the audacity and adaptability of cybercriminals. While cybersecurity experts continue their battle against these threats, Strox and PhaaS operations like it remain a daunting challenge, serving as a stark reminder of the ongoing struggle to secure the digital world.