Blue Team vs Beamer – Analysis of a Roblox Scam

Scam Overview

Written February 2024

For the uninitiated, Roblox is a popular video game these days. In fact, in August 2020, Roblox had over 164 million monthly active users, including more than half of all American children under 16. (This young-person user base happens to include a teenager in my family too, which is why you’re finding me writing about a Roblox scam today.)

With such popularity, scams have long existed in the Roblox community centered around stealing a user’s .ROBLOSECURITY session cookie, because stealing this cookie allows a scammer to login to the victim’s Roblox account, bypassing any 2FA/MFA. Ultimately, the scammer is looking to steal the victim’s Roblox account, even if only temporarily, to gain their valuable items and in-game currency, called Robux. The end goal with stealing these in-game items is to convert them to real cash or cryptocurrency. For those interested in more backstory, a detailed writeup from Vice on Roblox scammers, called “beamers”, and the Roblox black market can be found here.

The scam analyzed in this article is a variation that uses Discord to connect the scammer with Roblox users (victims) and, after some social engineering, getting the victim to install a malicious Google Chrome extension that will send the .ROBLOSECURITY cookie to the scammer.

ROBLOX SCAM OVERVIEW

Scam Analysis

Part 1 – The Scammer Identifies Their Victim

The scammer begins the scam by identifying victims in the Roblox game itself whose characters have rare and valuable items. For example, if the scammer sees a character wearing “Poisoned Horns of the Toxic Wasteland”, this will immediately catch their eye as these limited edition horns are worth 599k Robux. If you were to purchase enough Robux with USD through the game’s legitimate marketplace, this would cost over $5000!

LIMITED EDITION ITEMS MEAN BIG BUCKS

Part 2 – The Scammer Performs Social Engineering

After identifying their victim, the scammer messages them using in-game chat and claims they want to make artwork, i.e. a rendering, of the victim’s character since their appearance is so cool. The scammer then encourages the victim to connect with them on Discord so they can send photos of the artwork, which is not possible through the in-game chat (and also decouples the scammer’s in-game Roblox account with the non-monitored Discord account.)

Through Discord, the scammer sends 3D artwork of the victim’s character pulled from the victim’s in-game character model. However, the artwork sent over has no color – it just appears as a solid grey figurine. 

grey-character
DISCORD CHAT SHOWING A CRITICAL MOMENT IN THE SOCIAL ENGINEERING

As part of the ruse, the scammer tells the victim that they aren’t able to add the “textures” to their artwork without some help, and the victim will need to navigate to rendercraft[.]eu to download a “texture generator” plugin – plugin here, as we will find out, means a Google Chrome extension.

THE REAL RENDER CRAFT WEBSITE
THE SCAMMER'S CLONED WEBSITE

On first glance, the scammer’s website looks legitimate, but searching the company Render Craft does turn up a different hostname, rendercraft.com. Our first red flag during analysis is the real Render Craft, rendercraft.com, has had their domain registered since 2008, while rendercraft[.]eu is newly registered as of January 2024. A newly registered domain is suspicious, and it is very likely that the scammer is impersonating the real Render Craft with a website clone.

RENDERCRAFT.COM ICANN WHOIS
RENDERCRAFT[.]EU EURID WHOIS

Back to the website, the plugin download button is front and center. However, as a careful observer will notice, the download link is a random Google Drive link, not a file hosted on the website itself. The also means the victim will need to be logged in to a Google account to download the Chrome extension.

DOWNLOAD BUTTON IS A GOOGLE DRIVE LINK TO THE MALICIOUS EXTENSION

Part 3 – The Victim Installs The Malicious Chrome Extension

A LOOK INSIDE THE ZIP FILE

The Google Drive link downloads RenderCraftTextureGenerator.zip to the victim’s computer. This Google Chrome extension is not in the Chrome Web Store and has to be loaded into Chrome manually in developer mode – another big red flag. “Luckily” for the victim, a video tutorial on how to install the plugin is located on the scammer’s website.

LOADING THE EXTENSION IN DEVELOPER MODE

Part 4 – The Beginning of the Heist

Once the extension has been installed, the victim first interacts with the extension to “Enable Dev Mode.” This looks harmless at first glance, but Roblox actually doesn’t have a developer mode.

"ENABLE DEV MODE," IT SAYS.
"DEVELOPER MODE" NOW APPEARS IN ROBLOX ACCOUNT SETTINGS

 

Additionally, you can’t enable this “developer mode” without inputting your 2FA/MFA code or password. What is going on here?! Before we continue looking at the scammer’s heist from the victim’s perspective, let’s start analyzing the code to see what is happening at this moment. 

VERIFICATION REQUIRED TO ENTER DEVELOPER MODE

Unpacking the extension’s .zip file reveals a few files of interest: manifest.json, popup.html, and, in the scripts folder, popup.js, content.js, and background.js.

manifest-overview
CHROME EXTENSION MANIFEST FILE

The manifest file is required for Chrome extensions and lists important information about the structure and behavior of the extension. Among other things, we can see at a glance this extension:

  • Has “permissions” to access “cookies”
  • Uses popup.html to control what displays when the user clicks on the extension (the “browser_action” section)
  • Will run a content script, content.js, for any Roblox URL we have open in Chrome, allowing it to read the contents of those pages and make changes to them (the “content_scripts” section)
  • Will run our background script, background.js, to manage events seen by the extension (the “background” section)
POPUP.HTML CONTROLS EXTENSION UI

Starting with popup.html, it looks pretty straightforward – for example, some simple HTML to create a button labeled “Enable Dev Mode” that we saw moments ago. We see the JavaScript file popup.js is loaded as well via the <script> tag.

Upon attempting to analyze/reverse engineer popup.js (and all the other JavaScript files), we find a third (at minimum) red flag here as the code has been obfuscated.

BEFORE: OBFUSCATED CODE
AFTER: CODE HAS BEEN DEOBFUSCATED

After a little research, I found that the code was obfuscated using obfuscator.io, and, conveniently, there is a web-based deobfuscator for us at webcrack.netlify.app. This reversing of the obfuscation is necessary so we can read the code and perform our analysis.

Ah ha! Popup.js shows us what happens when we click “Enable Dev Mode” – it opens the Roblox Account Security page.

PLUGIN OPENS THE ROBLOX ACCOUNT SECURITY PAGE
ONE PURPOSE OF CONTENT.JS IS TO MODIFY THE ACCOUNT SECURITY PAGE

Not only that, after the browser navigates to the Account Security page, content.js changes the content on that page. First, it hides some content completely that we would expect to see on that page, such as what devices are currently logged in to this Roblox account. At the same time, it modifies the 2FA security toggle to be the “developer mode” toggle. This means that the victim thinks they are enabling a secret developer mode, but in reality they are disabling their account’s 2FA!

BEFORE: ACCOUNT SECURITY PAGE
AFTER: ACCOUNT SECURITY PAGE

Part 5 – The Heist Continues

Back to the victim’s perspective, after enabling developer mode, the Chrome extension pop up now prompts them to generate textures – the reason we have done all this work for the scammer in the first place. However, the extension says it is working on generating those textures for us, but nothing is happening. Did we do it wrong? 

Let’s jump into the background.js file to see the final pieces to this heist.

TIME TO "GENERATE TEXTURES"
THE FINAL MESSAGE IN THE SCAM

Background.js is rather short compared to content.js, but it turns out you can still have one heck of a grand finale even without a lot of code. 

The function checkForCookieAndSend() searches specifically for the .ROBLOSECURITY cookie we talked about in the Scam Overview, and then uses function fetchUserInfoAndSend() to send to this cookie to the scammer’s backend data collection server, which we will look at more closely momentarily.

There’s also a function called grabNonRobloxCookiesAndSendToBackend() which grabs ALL other cookies in Chrome and calls sendToBackend() to send the cookies to their backend server. This is especially scary as the malicious extension could compromise victim accounts beyond just a Roblox account. It’s worth noting again that before downloading the extension from Google Drive in the first place, the victim had to be signed in to Google, so we can expect stealing this Google login cookie will take place.

THIS CODE STEALS ALL OTHER COOKIES NOT ROBLOX RELATED

The backend server they setup is located at rendercraft-backend[.]org and is configured to receive the data via HTTP POST requests at various URLs. This sendToBackend() function in particular is sending to /sendallcookies in JSON format.

POSTING COOKIES TO THE BACKEND SERVER

Finally, there is sending of some of the victim’s data, like the user ID, via Discord webhook. There are no connections to Discord URLs directly, but assuming the function name is true, it uses their backend server URL /sendkey as a middleman to perform this action.

DISCORD WEBHOOK

Actions Taken & Timeline

Seeking vengeance, I approached this from a domain takedown perspective – reaching out to the providers associated with the scammer’s websites and reporting abuse (i.e. showing proof of abuse and asking them nicely to take the website down.)
 
Interestingly, it’s not always clear if you should approach the domain registrar or the webhost or both. This process becomes especially murky if one of those parties is a free speech and/or content neutrality advocate and does not feel responsible for moderating the content of their customers’ websites. As such, crafty hackers purposefully choose providers that won’t immediately take down their website if abuse is reported. For those interested, the blog post Cloudflare and Free Speech gives one provider’s perspective into this issue.
 
For taking down our Roblox scammers, the high-level process is first determining the registrar through a WHOIS lookup, at ICANN and EURID in this case, and then determining who the webhost is. The most common way to determine the webhost is to look at the name servers for the domain via a tool like dig, though this doesn’t always work. As one common example, if the scammers are using Cloudflare’s WAF/CDN service for their website, then the name servers will be Cloudflare’s and not the actual webhost’s.
 
Here is how that high-level strategy played out:
  • Jan 13th – Family member gets scammed
  • Jan 14th – Reported abuse for render-craft[.]org and rendercraft-backend[.]org to registrar and webhost
  • Jan 15th – Registrar suspends render-craft[.]org
  • Jan 27th – Discovery of new domains operating this scam – rendercraft[.]eu and rendercraft-backend[.]online
  • Jan 27th – Reported abuse for rendercraft[.]eu to webhost and rendercraft-backend[.]online to registrar
  • Jan 29th – rendercraft-backend[.]org is suspended by the registrar
  • Jan 31st – rendercraft-backend[.]online is suspended by the registrar
  • Feb 2nd – rendercraft[.]eu is suspended by the webhost
 

IOCs

Hostnames & URLs

rendercraft[.]eu

render-craft[.]org

rendercraft-backend[.]org

rendercraft-backend[.]online

https://drive[.]google[.]com/uc?export=download&id=1eCwas4kwTDQjomZHT3vv355Ft-Faezta

https://drive[.]google[.]com/uc?export=download&id=1hKHzi0595oxETSL68zfMxZsoRFWkDlj0

IPs

191[.]101[.]104[.]245

191[.]101[.]104[.]152

191[.]96[.]144[.]129

216[.]24[.]57[.]1

File Hashes

Chrome Extension RenderCraftTextureGenerator.zip

27e15e4d4e59e57cc04f6bb36da012fd511052a26c323ccdca69faf4ffc4ea0a

f65a4f2bed5ffef1a4f9b5255c1ed75caa31a02cae30e9c75d861efa97778472