Roblox Phishing Kit 8l0pamh6

Detects Roblox phishing sites using a Roblox specific strings within the DOM.

Usually at /controlPage/create you can create a "Beaming link" These are often spread through Discord to victims.

References

IOK Rule (edit)

title: Roblox Phishing Kit 8l0pamh6
description: |
    Detects Roblox phishing sites using a Roblox specific strings
    within the DOM.
    
    Usually at /controlPage/create you can create a "Beaming link"
    These are often spread through Discord to victims.
references:
  - https://www.youtube.com/watch?v=lUL2vgyhsw4
  - https://urlscan.io/result/c716b820-174e-4211-9c09-4663b4a7e47d/
  - https://urlscan.io/result/e76d7a2f-3e6d-455e-8da8-1a94ea6c222f/
  - https://urlscan.io/result/f9ccb8a3-624b-4cb1-b237-36dd81cef6e3/
  - https://urlscan.io/result/1a62439f-de11-4ee6-a0ed-9c482c0c1906/

detection:

    realDomains:
        hostname|endswith:
            - .roblox.com
            - .rbxcdn.com

    rbxBodyId:
        dom|contains: body id="rbx-body"

    rbxCDN:
        dom|contains: rbxcdn


    condition: rbxCDN and rbxBodyId and not realDomains

tags:
    - kit
    - target.roblox