The extension also sets up an alarm that will trigger an event every 15 minutes. Code sending stolen cookie via Discord (Click to enlarge) Title and message of the malicious extension (Click to enlarge)īgWork.js will send the message via Discord using a predefined webhook, which could also be changed to use any of the other chat platforms discussed in our paper titled How New Chat Platforms Can Be Abused by Cybercriminals.įigure 4. This extension doesn’t do that it will only send a stolen cookie to a Discord channel, leaving the user with nothing in return.įigure 3. In this case, the example shows that the extension is called a Trade Bot and claims to be a RAP (Recent Average Price) Value assistant that can help you trade your ROBUX for something else.
Looking into bgWork.js, there is a configured Discord webhook that sends out the stolen Roblox cookie via the Discord API when installed. This underground marketplace forum is a hotspot for Roblox hacks, where users even trade ROBUX (the in-game currency of Roblox) for other work or products. Searching for the terms CRM5 or bgWork.js lead right back to the forum. ZIP file contains a file named bgWork.js. We obtained samples of this bot using the following file names: ROBLOX BOT.zip, Crm5extension.crx, Roblox Enhancer.crx, and DankTrades.zip. Roblox Trade Bot being sold on the "Dream Market" underground marketplace (Click to enlarge) We learned this particular Chrome extension was, in fact, for sale on the Dream Market underground marketplace for only 99 cents:įigure 1.
The stolen information is sent via Discord, but this could also be configured to use other chat platforms. While it currently only targets Roblox users, the same technique can be used to steal cookies from any website. Since then, we’ve noticed another attack going after the same information, only this time it is via Chrome extensions (CRX files).
We recently discussed how cyber criminals are using the popular voice/chat client Discord to steal cookies from the running Roblox process on a Windows PC.
0 kommentar(er)
