Recent intelligence from AlienVault OTX reveals a sprawling ecosystem of credential phishing and data harvesting specifically targeting children through popular gaming platforms like Roblox and Minecraft. Threat actors are utilizing typosquatting domains and lookalike infrastructure (e.g., roblox-com.com) to lure minors into "offerwall" reward schemes. These sites promise free in-game currency in exchange for personal data and credentials. The attack chain involves social engineering via gaming communities, leading users to fraudulent websites that harvest login credentials and enroll minors in paid subscription traps. While specific malware binaries were not identified in this pulse, the infrastructure facilitates credential theft and potential account takeover (ATO).
Threat Actor / Campaign Profile
- Adversary: Unknown (Financially Motivated Cybercriminals)
- Malware Families: N/A (Web-based Credential Harvesting)
- Distribution Method: SEO manipulation, Typosquatting, Social Engineering on gaming forums/social platforms.
- Payload Behavior: HTML/JS forms designed to mimic legitimate gaming login portals. Collects usernames, passwords, and potentially email addresses for subscription traps.
- C2 Communication: Data is likely exfiltrated via POST requests to the hosting infrastructure (domains listed below) rather than a traditional malware C2 beacon.
- Persistence: This campaign relies on web access rather than endpoint persistence. However, stolen credentials may be used to maintain unauthorized access to gaming accounts.
- Anti-Analysis: Use of disposable domains and rapid registration of lookalike sites to evade static blocklists.
IOC Analysis
The provided indicators consist primarily of domains and a single IPv4 address.
- Domains: These indicators represent typosquatting attempts (e.g.,
roblox-com.cominstead ofroblox.com) and spoofed link shorteners or utility domains (blox.ink). SOC teams should immediately block these at the DNS layer and web proxy. - IPv4 (
45.11.229.230): This IP hosts the malicious content. Operationalize this by blocking outbound traffic to this IP on firewalls and reviewing proxy logs for any historical connections. - Tooling: SIEM solutions (e.g., Splunk, Sentinel) can correlate these IOCs with proxy logs. Threat intelligence platforms (OTX, MISP) can automate the blocking of these domains.
Detection Engineering
The following detection rules and queries are designed to identify network activity associated with this phishing campaign.
title: Suspicious DNS Query to Roblox/Minecraft Phishing Domains
id: 9e8c7d6e-5f4a-4b3c-2d1e-0f9e8d7c6b5a
status: experimental
description: Detects DNS queries to known phishing domains targeting Roblox and Minecraft users as reported in OTX Pulse.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/05
tags:
- attack.credential_access
- attack.initial_access
logsource:
category: dns
product: windows
detection:
selection:
query|contains:
- 'roblox-com.com'
- 'blox.ink'
- 'bloxlink.net'
- 'bloxlink.site'
- 'www-roblox.pw'
- 'robiox.com.ua'
condition: selection
falsepositives:
- Unknown
level: high
---
title: Network Connection to Known Malicious Gaming Infrastructure IP
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects network connections to the specific IP address associated with child-targeted credential harvesting infrastructure.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/05
tags:
- attack.command_and_control
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp:
- '45.11.229.230'
condition: selection
falsepositives:
- Unknown
level: critical
kql
// Hunt for DNS requests or Network connections to known malicious indicators
DeviceNetworkEvents
| where RemoteUrl has_any ("roblox-com.com", "blox.ink", "bloxlink.net", "bloxlink.site", "www-roblox.pw", "robiox.com.ua") or RemoteIP == "45.11.229.230"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend FullUrl = strcat("https://", RemoteUrl)
powershell
# PowerShell Script to check local DNS cache for indicators of compromise
$MaliciousDomains = @(
"roblox-com.com",
"blox.ink",
"bloxlink.net",
"bloxlink.site",
"www-roblox.pw",
"robiox.com.ua"
)
Write-Host "Checking DNS Cache for Malicious Gaming Domains..."
$DNSEntries = Get-DnsClientCache
foreach ($Domain in $MaliciousDomains) {
$Matches = $DNSEntries | Where-Object { $_.Entry -like "*$Domain*" }
if ($Matches) {
Write-Host "[ALERT] Found cache entry for: $Domain" -ForegroundColor Red
$Matches | Format-Table Entry, Data, TimeToLive
}
}
# Check for active connections to the malicious IP
$MaliciousIP = "45.11.229.230"
$Connections = Get-NetTCPConnection -RemoteAddress $MaliciousIP -ErrorAction SilentlyContinue
if ($Connections) {
Write-Host "[ALERT] Active connection detected to malicious IP: $MaliciousIP" -ForegroundColor Red
$Connections | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
} else {
Write-Host "No active connections found to $MaliciousIP"
}
# Response Priorities
* **Immediate**:
* Block all listed domains and the IP address (`45.11.229.230`) at the network perimeter (Firewall, Proxy, Secure Web Gateway).
* Add IOCs to DNS sinkholing services.
* **24 Hours**:
* Review proxy and firewall logs for any historical traffic to these IOCs within the organization (specifically targeting Education sector networks).
* If user activity is detected, initiate identity verification for affected accounts as credentials may have been harvested.
* **1 Week**:
* Update web filtering policies to block categories related to "Gaming" if appropriate for the environment, or implement stricter filtering for "Gambling/Scams".
* Conduct awareness training for students and staff regarding the risks of "free in-game currency" scams and typosquatting.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.