ROBLOX, a popular multiplayer video game with more than 178 million registered accounts, is being targeted by cybercriminals via its chat function in an effort to siphon off millions of dollars from players.
The criminals are using an API in the chat platform, called Discord, to steal browser cookies containing ROBLOX login credentials. The end game is stealing ROBUX (in-game currency), and exchanging it for real cash.
The game relies heavily on user-created content to thrive; it allows its players to create their own mini games and environments within the ROBLOX game world that other players can then play and share. ROBLOX also has a social networking element that encourages users to socialize, play and create content together, and take part in the earning and spending of ROBUX.
According to Trend Micro research, the criminals are infecting targeted systems via a gaming forum, where the crooks have posted malware in the guise of a “cheat application” that would allow players to modify their characters and therefore gain unfair advantage over other players. The malware waits until it detects ROBLOX on a victim’s system. And once it does, it steals the user’s game account cookie.
The malware also has a Discord webhook coded into it, which is a feature that allows the chat program to send a message to a specified channel or user when a certain requirement of a specified app or program is fulfilled.
In this case, the malware uses the webhook to send the stolen cookie to the bad guys once it’s in hand, who can then use the stolen cookie to remotely log into the compromised ROBLOX account to steal any stored ROBUX.
The malware runs persistently on the affected system, making it possible to obtain new game account cookies whenever they’re detected—meaning that password changes are useless.
“This isn’t the only malicious routine that cybercriminals can force Discord (or any similar chat platform) to carry out by abusing its API,” Trend Micro said in an analysis. “In fact, our analysis shows that with only some modifications, creative cybercriminals can possibly turn it into a command-and-control (C&C) infrastructure, allowing them to communicate with their malware without having to expend the resources for a home-brewed alternative.”
The firm is working with Discord to eliminate threats in its network, but users should always be careful about what they download from web forums, especially if message board posts are asking users to try out cheat applications.