Tuesday, November 12, 2024
HomeCyber Security NewsPhishing-as-a-Service Strox Lets Hackers Phish any Brand by Submitting its Logo

Phishing-as-a-Service Strox Lets Hackers Phish any Brand by Submitting its Logo

Published on

Malware protection

The ever-evolving world of cybercrime has given birth to a disturbing phenomenon – Phishing-as-a-Service (PhaaS), and one name that sends shivers down the spines of cybersecurity experts is Strox. 

The tale of Strox begins in the first half of 2022 when Fortra, a cybersecurity organization, first detected a surge in fraudulent activities stemming from various PhaaS operations. 

These services serve as a one-stop-shop for cybercriminals, offering everything from advanced phishing kits to hosting services, mail spam scripts, and even a marketplace for selling stolen credentials.

- Advertisement - SIEM as a Service

Strox, or Strox[.]su or Strox Pages, is a standout player in the PhaaS landscape. This dangerous platform has operated since June 2021, initially imitating eleven US financial institutions. 

However, Fortra’s investigations revealed a more extensive history, with Strox-linked campaigns dating back to November 2021.

What sets Strox apart is its customization feature. It allows cybercriminals to create phishing campaigns targeting any brand by editing images and text, making it a versatile tool for fraud actors.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The Phishing Kits

A cornerstone of Strox’s operation is its collection of phishing kits. However, it’s important to note that many of these kits are not original creations by Strox. 

Instead, they modify popular phishing kits to incorporate advanced live phishing features. Spotting Strox indicators in phishing URLs may not confirm that the attack is directly linked to the service.

Currently, Strox offers twelve phishing kits, each priced at $90 USD. Purchasing equipment includes a unique API key, guaranteeing the buyer ongoing development and updates, including content and antibot information. 

Customers can preview demo phishing pages before making their selection. What’s striking is the auto-translation feature, ensuring the phishing content aligns with the victim’s browser language, covering over 230 languages.

Real-time Phishing Operations

One of the key features of Strox’s offering is the real-time admin panel that allows threat actors to control and monitor their attacks. 

This live panel provides insights into how many people view the phishing content and their actions. 

It’s also employed in man-in-the-middle attacks to obtain two-factor authentication codes and bypass additional security checks.

Notably, when threat actors are unavailable to monitor the attacks, they can set them to a dormant state to avoid detection during unproductive times. 

Strox also handles the exfiltration of stolen credentials through a centralized Telegram bot, ensuring encrypted communication and providing a marketplace for selling these ill-gotten credentials.

Automated log ad listing generated on a threat actor’s Telegram.
Automated log ad listing generated on a threat actor’s Telegram.

Strox stands out by offering to set up hosting infrastructure for its users, a service that most other PhaaS platforms do not provide. 

They offer bulletproof hosting of a cPanel installation for $3 a day, with features like a 30-day “No ‘Red Flag’ Guarantee,” unlimited bandwidth, DDoS protection, and HTTPS SSL Certification. 

However, Strox remains hands-off regarding domain registration, requiring users to register their domains to avoid detection from anti-phishing processes.

The choice of a “bulletproof” host has evolved over time. Initially, Strox used VPS installations on Digital Ocean servers. 

By the fourth quarter of 2022, they had shifted to Ponytech, FranTech Solutions, and Russian provider Dolgova Alena Andreevna.

In 2023, some Strox servers have been discovered behind CloudFlare’s DDoS protection services, while others continue to use hosting providers from 2022.

Phishing Made Easy with Strox

Strox aspires to be a one-stop shop for phishing threat actors. 

They offer various materials to facilitate phishing campaigns, including phishing email lures, target email lists, and PHP mailing scripts ready to be installed on Strox cPanel setups. 

They even provide more advanced SMS phishing services, allowing smishing lures to be sent to victims in the United States and Canada across all carriers.

What’s alarming is the pattern of increased Strox-linked phishing campaigns during the second quarter of each year. 

Strox has celebrated its anniversaries in both June 2022 and 2023 with sales events. 

Fortra has noticed heightened campaign activity in the months preceding and following these anniversaries, indicating a potential relationship between the sales and cyberattacks.

Strox group announcing their 2nd-anniversary promotion
Strox group announcing their 2nd-anniversary promotion

The rise of Strox illustrates the audacity and adaptability of cybercriminals. While cybersecurity experts continue their battle against these threats, Strox and PhaaS operations like it remain a daunting challenge, serving as a stark reminder of the ongoing struggle to secure the digital world.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...