Strox

Strox, a threat actor known for its audacious and adaptable cybercriminal activities, has been operating since June 2021. The group initially offered scam pages imitating eleven US financial institutions and has since added only one more brand to their list of available phishing kits. Investigations by Fortra have traced Strox-related phishing activity back to November 2021, indicating the long-standing nature of this threat. Despite the lack of original authorship in many or possibly all of the phishing kits offered through the Strox platform, it continues to be a significant player in the cybersecurity landscape. The rise of Strox underscores an increasing reliance on adversary-in-the-middle (AiTM) phishing kits like NakedPages and DadSec to bypass multi-factor authentication and hijack targeted accounts. Strox has been linked to increased phishing campaigns during the second quarter of each year, coinciding with their annual sales events in June 2022 and 2023. In addition to phishing kits, they offer various materials to facilitate phishing campaigns, including phishing email lures, target email lists, and PHP mailing scripts ready to be installed on Strox cPanel setups. In terms of infrastructure, Strox offers bulletproof hosting of a cPanel installation for $3 a day, featuring a 30-day “No ‘Red Flag’ Guarantee,” unlimited bandwidth, DDoS protection, and HTTPS SSL Certification. This service, which most other PhaaS platforms do not provide, has evolved over time with some Strox servers discovered behind CloudFlare’s DDoS protection services in 2023. However, Strox remains hands-off regarding domain registration, requiring users to register their domains to avoid detection from anti-phishing processes. The ongoing operation of Strox and similar PhaaS platforms serves as a stark reminder of the challenges faced in securing the digital world.