Phishing-as-a-Service Strox Lets Hackers Phish any Brand by Submitting its Logo

The ever-evolving world of cybercrime has given birth to a disturbing phenomenon – Phishing-as-a-Service (PhaaS), and one name that sends shivers down the spines of cybersecurity experts is Strox. 

The tale of Strox begins in the first half of 2022 when Fortra, a cybersecurity organization, first detected a surge in fraudulent activities stemming from various PhaaS operations. 

These services serve as a one-stop-shop for cybercriminals, offering everything from advanced phishing kits to hosting services, mail spam scripts, and even a marketplace for selling stolen credentials.

Strox, or Strox[.]su or Strox Pages, is a standout player in the PhaaS landscape. This dangerous platform has operated since June 2021, initially imitating eleven US financial institutions. 

However, Fortra’s investigations revealed a more extensive history, with Strox-linked campaigns dating back to November 2021.

What sets Strox apart is its customization feature. It allows cybercriminals to create phishing campaigns targeting any brand by editing images and text, making it a versatile tool for fraud actors.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The Phishing Kits

A cornerstone of Strox’s operation is its collection of phishing kits. However, it’s important to note that many of these kits are not original creations by Strox. 

Instead, they modify popular phishing kits to incorporate advanced live phishing features. Spotting Strox indicators in phishing URLs may not confirm that the attack is directly linked to the service.

Currently, Strox offers twelve phishing kits, each priced at $90 USD. Purchasing equipment includes a unique API key, guaranteeing the buyer ongoing development and updates, including content and antibot information. 

Customers can preview demo phishing pages before making their selection. What’s striking is the auto-translation feature, ensuring the phishing content aligns with the victim’s browser language, covering over 230 languages.

Real-time Phishing Operations

One of the key features of Strox’s offering is the real-time admin panel that allows threat actors to control and monitor their attacks. 

This live panel provides insights into how many people view the phishing content and their actions. 

It’s also employed in man-in-the-middle attacks to obtain two-factor authentication codes and bypass additional security checks.

Notably, when threat actors are unavailable to monitor the attacks, they can set them to a dormant state to avoid detection during unproductive times. 

Strox also handles the exfiltration of stolen credentials through a centralized Telegram bot, ensuring encrypted communication and providing a marketplace for selling these ill-gotten credentials.

Automated log ad listing generated on a threat actor’s Telegram.

Strox stands out by offering to set up hosting infrastructure for its users, a service that most other PhaaS platforms do not provide. 

They offer bulletproof hosting of a cPanel installation for $3 a day, with features like a 30-day “No ‘Red Flag’ Guarantee,” unlimited bandwidth, DDoS protection, and HTTPS SSL Certification. 

However, Strox remains hands-off regarding domain registration, requiring users to register their domains to avoid detection from anti-phishing processes.

The choice of a “bulletproof” host has evolved over time. Initially, Strox used VPS installations on Digital Ocean servers. 

By the fourth quarter of 2022, they had shifted to Ponytech, FranTech Solutions, and Russian provider Dolgova Alena Andreevna.

In 2023, some Strox servers have been discovered behind CloudFlare’s DDoS protection services, while others continue to use hosting providers from 2022.

Phishing Made Easy with Strox

Strox aspires to be a one-stop shop for phishing threat actors. 

They offer various materials to facilitate phishing campaigns, including phishing email lures, target email lists, and PHP mailing scripts ready to be installed on Strox cPanel setups. 

They even provide more advanced SMS phishing services, allowing smishing lures to be sent to victims in the United States and Canada across all carriers.

What’s alarming is the pattern of increased Strox-linked phishing campaigns during the second quarter of each year. 

Strox has celebrated its anniversaries in both June 2022 and 2023 with sales events. 

Fortra has noticed heightened campaign activity in the months preceding and following these anniversaries, indicating a potential relationship between the sales and cyberattacks.

Strox group announcing their 2nd-anniversary promotion

The rise of Strox illustrates the audacity and adaptability of cybercriminals. While cybersecurity experts continue their battle against these threats, Strox and PhaaS operations like it remain a daunting challenge, serving as a stark reminder of the ongoing struggle to secure the digital world.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Sujatha

Recent Posts

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…

39 mins ago

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…

2 hours ago

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…

2 hours ago

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million IoT-enabled devices. Notably, ThroughTek Kalay's influence…

17 hours ago

Apple Has Terminated 370 Million+ Developer & Customer Accounts

The App Store will close over 370 million developer and customer accounts in 2023. Apple takes this move to fight…

23 hours ago

VirusTotal’s Crowdsourced AI Initiative to Analyze Macros With Word & Excel Files

VirusTotal has announced a major change to its Crowdsourced AI project: it has added a new AI model that can…

1 day ago