Threat Background & History
Beginning in the first half of 2022, Fortra has monitored a significant ongoing upward trend in fraud activity originating from various Phishing-as-a-Service (PhaaS) operations. Some of these services have thrived, while the popularity of others has diminished. One PhaaS operation that has notably been present throughout the past two years is known as Strox (aka Strox.su or Strox Pages). Strox has become one of the most complete phishing solutions for fraud actors available, offering advanced phishing kits, hosting services, mail spam scripts, and an automated market for selling stolen credentials.
Strox has reportedly been operating since June 2021 and originally offered scam pages imitating eleven US financial institutions. After investigating phishing activity retroactively, Fortra identified campaigns using Strox content as far back as November 2021. Since the platform’s original launch date, Strox has only added one more brand to the list of available phishing kits. However, the service does offer a page customization feature that effectively allows threat actors to make phish targeting any brand via image and text editing.
Though much of Strox’s infrastructure is found on Russian-based bulletproof hosting services, the group most likely operates out of the Middle East. While communication from the threat group is typically kept professional, stray comments found in phishing files and telegram channels speak on politics within the region.
Phishing-as-a-Service Analysis
Phishing Kits
Promotional landing page advertising phishing pages and tools.
When analyzing the phishing pages used in attacks linked to the Strox platform, it is clear that many or possibly all of the phishing kits offered through the service are not originally authored by Strox. Popular phishing kits are instead modified to incorporate many of the advanced live phishing features enabled by a PhaaS operation. As a result, identifying Strox indicators from phishing URLs alone may not guarantee the attack was generated by the service.
Phishing kit store page on Strox.su.
Currently, twelve phishing kits are sold on Strox for $90 USD each. A purchase of one of these kits includes a unique API key that promises the buyer continued development and updates of the page content and antibot information. Customers are able to view demo phishing pages before buying them for use and may customize which pages are active when an attack is live. In all available kits, phishing content auto translates its language to match the selected language of the victim’s browser. The service claims that over 230 languages are available.
Up-to-date phishing content is loaded by an external command server.
Live Phishing Capabilities
All scam kits available from Strox include a real-time admin panel which allows the phisher to control and monitor their active attacks. Logging information on the pages provides a live look at the number of people currently looking at phishing content and the actions that are being taken. This functionality is also leveraged in man-in-the-middle style attacks to obtain two-factor authentication codes and bypass additional security checks. When the threat actor is not available to monitor phishing attacks, they may opt to set phishing attacks to a dormant state. This measure may prevent pages from being detected during times when they are unproductive.
Photo of an active control panel provided by a threat actor.
Strox phish exfiltrate stolen credentials through a centralized Telegram bot rather than through a drop email address. This Telegram API provides end-to-end encryption and has the capability to package up this personal information for sale as ‘logs’ on a marketplace on Strox’s own domain. This makes Strox.su a potential complete closed ecosystem for threat actors, where captured banking information can be sold and the funds reused to purchase more phishing and hosting services within the Strox platform.
Logs available for sale for eleven brands on Strox. (Image taken Q2 2022)
Automated log ad listing generated on a threat actor’s Telegram.
Server Hosting
One factor that distinguishes Strox from many of the other popular PhaaS platforms currently operating is that the service offers to setup hosting infrastructure for the user. Bulletproof hosting of a cPanel installation is offered at a rate of $3 USD a day. Highlighted features for this server space includes:
- 30-Day No ‘Red Flag’ Guarantee
- Unlimited Bandwidth
- DDoS Protection
- HTTPS SSL Certification
Notably, the one process Strox does not offer assistance with is domain registration. Threat actors are required to register their own domain names and link them to the cPanel installations. According to a disclaimer on the hosting services page, users are not allowed to include the brand names of banks in domains in order to avoid detection from anti-phishing processes.
Renewal page for Strox phishing hosting services.
Based on Fortra’s visibility, Strox’s choice of “bulletproof” host has changed over the life of the operation. Recorded campaigns in the first half of 2022 utilized VPS installations on Digital Ocean servers. In the fourth quarter of 2022, attacks linked to Strox had migrated to Ponytech, FranTech Solutions, and Russian provider Dolgova Alena Andreevna. In 2023, servers hosting Strox attacks have increasingly been found behind CloudFlare’s DDoS protection services, however those that are not continued to use one of the hosting providers seen in 2022.
Promotional landing page advertising hosting services.
Leads and Lures
Consistent with their other offerings, Strox vies to be a one-stop shop for phishing threat actors. In order to help facilitate phishing campaigns, available materials include phishing email lures (“letters”), target email lists (“leads”), and PHP mailing scripts ready to install on Strox cPanel setups.
Promotional landing page advertising email lead database.
Promotional landing page advertising PHP mail/spam script.
More expensive SMS phishing services are also available on the platform. According to Strox, smishing lures can be sent to victims in the United States and Canada across all carriers. Unlike other available SMS spamming tools, this complete service does not require the threat actor to provide their own mobile SIM(s).
Price of plans available for Strox SMS Sender.
Anniversary Sales & Phishing Impact
One notable phishing activity pattern that has emerged in the past two years is a sharp increase in Strox-linked phishing campaigns during the second quarter of the year. Now in its third year of operation, Strox has advertised anniversary sale events in both June of 2022 and 2023. Fortra has observed increased campaign activity for every brand targeted by Strox services in the months immediately before and after these anniversaries.
Strox group announcing their 2nd anniversary promotion.
Appendix A – Strox Indicators
Learn how PhishLabs protects against phishing sites targeting brands with Digital Risk Protection.