Threat Background & History
Beginning in the first half of 2022, Fortra has monitored a significant ongoing upward trend in fraud activity originating from various Phishing-as-a-Service (PhaaS) operations. Some of these services have thrived, while the popularity of others has diminished. One PhaaS operation that has notably been present throughout the past two years is known as Strox (aka Strox.su or Strox Pages). Strox has become one of the most complete phishing solutions for fraud actors available, offering advanced phishing kits, hosting services, mail spam scripts, and an automated market for selling stolen credentials.
Strox has reportedly been operating since June 2021 and originally offered scam pages imitating eleven US financial institutions. After investigating phishing activity retroactively, Fortra identified campaigns using Strox content as far back as November 2021. Since the platform’s original launch date, Strox has only added one more brand to the list of available phishing kits. However, the service does offer a page customization feature that effectively allows threat actors to make phish targeting any brand via image and text editing.
Though much of Strox’s infrastructure is found on Russian-based bulletproof hosting services, the group most likely operates out of the Middle East. While communication from the threat group is typically kept professional, stray comments found in phishing files and telegram channels speak on politics within the region.
Phishing-as-a-Service Analysis
Phishing Kits
Promotional landing page advertising phishing pages and tools.
When analyzing the phishing pages used in attacks linked to the Strox platform, it is clear that many or possibly all of the phishing kits offered through the service are not originally authored by Strox. Popular phishing kits are instead modified to incorporate many of the advanced live phishing features enabled by a PhaaS operation. As a result, identifying Strox indicators from phishing URLs alone may not guarantee the attack was generated by the service.
Phishing kit store page on Strox.su.
Currently, twelve phishing kits are sold on Strox for $90 USD each. A purchase of one of these kits includes a unique API key that promises the buyer continued development and updates of the page content and antibot information. Customers are able to view demo phishing pages before buying them for use and may customize which pages are active when an attack is live. In all available kits, phishing content auto translates its language to match the selected language of the victim’s browser. The service claims that over 230 languages are available.
Up-to-date phishing content is loaded by an external command server.
Live Phishing Capabilities
All scam kits available from Strox include a real-time admin panel which allows the phisher to control and monitor their active attacks. Logging information on the pages provides a live look at the number of people currently looking at phishing content and the actions that are being taken. This functionality is also leveraged in man-in-the-middle style attacks to obtain two-factor authentication codes and bypass additional security checks. When the threat actor is not available to monitor phishing attacks, they may opt to set phishing attacks to a dormant state. This measure may prevent pages from being detected during times when they are unproductive.