Reading Time: 19 minutes

David Berlind is editor-in-chief of ProgrammableWeb. 

Cybersecurity solution provider Trend Micro has issued a report that highlights how chat platform APIs can and are being used by cybercriminals to achieve their nefarious objectives. 

latest report
Learn why we are the Leaders in API management and iPaaS

Because of the degree to which Webhook APIs are involved (an API attack vector not previously discussed on ProgrammableWeb), the warnings and incidents should serve as a wake-up call to API providers and developers when it comes to the sorts of best practices and ongoing vigilance it takes to fully secure their customers and systems.Provided that the incentives are worth it, ill-intentioned hackers will stop at nothing to breach an API or, as happened in this case, use it for its intended purpose to help perpetrate an attack.

The headline that caught my attention — Criminals Drain Cash from ROBLOX Gamers — came from InfoSecurity-Magazine.com. But it was the article’s summary that really nabbed me; “The criminals are using an API in the chat platform, called Discord, to steal browser cookies containing ROBLOX login credentials.” As it turns out, that summary isn’t entirely accurate. It would have been more accurate to say that the criminals used Discord and its Webhook API as the getaway car once the credentials were already stolen with malware. As a side note, malware and phishing often play a role in the API-related attacks that we report on here at ProgramnableWeb (which speaks to the need for a strong, layered security approach)

Discord is a fantastically viral communication platform that in recent years has been supplanting Skype as the preferred form of text and voice communication among gamers who play multiplayer games. Through Discord’s APIs, game platform providers are able to build those communications directly into the game context as though they’re an integral part of the game’s fabric. It is incredibly important to note that Discord’s API itself was not breached as a part of this particular break-in. Rather, it was legitimately used by the cybercriminals in order to blend in with the community of gamers much the same way a pickpocket might use store-bought clothing to blend in with pedestrian street traffic in order to escape detection.

Once the cybercriminals escape such detection, they’re able to use stolen credentials to log in to the accounts of ROBLOX gamers and siphon the platform’s currency (ROBUX) from those accounts. Like with other gaming platforms, that currency has a real-world cash value so there’s a real incentive for unscrupulous hackers to gain unauthorized access to those accounts.

Similar to other API-related transgressions that ProgrammableWeb has reported on, the ROBLOX incident demonstrates the tenacity and sophistication of the attackers. Trend Micro senior threat researcher Stephen Hilt told ProgrammableWeb that hackers also use unauthorized game account access in order to “filter money laundering through game currencies.” Hilt also emphasized that, while this incident involving ROBLOX and Discord is significant, the larger pattern of blending in with existing text and voice communications channels in order to exercise the sort of command and control (C&C) that’s typical of large scale botnet like attacks is the uber-trend to watch. Hilt noted Telegram and Slack as other Discord-like solutions that could be similarly targeted. Telegram, Hilt noted, has played a C&C role in attacks that involved the KillDisk ransomware. But to date, he knows of no similar intrusions that relied on Slack.

Anatomy of a ROBLOX-Discord Attack Using Webhooks

For API stakeholders, there is probably no better way to secure your APIs and infrastructure than to understand how your potential enemies perpetrate their attacks. So, to help you gain a better understanding of the ROBLOX-Discord attack, we’ve broken down its workflow.

1. Create downloadable malware that takes advantage of the game 

In this case, the perpetrators created malware that according to Trend Micro’s Hilt, was “disguised as ROBLOX modding software.”  In the online gaming world, everything gets better including chances of winning when gamers take advantage of downloads called “mods” (short for “modifications”). Infecting an installation of ROBLOX on someone’s PC is as simple as getting them to add the modification by starting the program from the command line with some additional parameters that load the mods. In this case, the mod was available through an online forum that was independent of ROBLOX. However, regardless of the gaming platform, mods are often acquired through such independent forums which makes it difficult for the provider of the gaming platform to validate all mods as being safe.

2. Prey on unsuspecting and vulnerable victims 

One reason the ROBLOX-Discord attack was successful is that the majority of the gamers on the platform are kids and kids are more likely to take risks in order to gain an edge in multiplayer video gaming. So, unlike with adults, many of whom are trained to suspect anything that looks like a download, if kids think a mod will help them win more games or improve their ranking, they are more likely to download and install a mod. According to Hilt, the cybercriminals took the extra step of “showing how their executable outputs were clean” to reassure users that it wasn’t malware.

3. Extract the gamer’s authentication cookie 

When a ROBLOX user starts a new session with ROBLOX, the user is issued an authentication cookie. That cookie is only good for as long as the session is active. The malware is written to extract the authentication cookie. According to Hilt, once a hacker obtains a ROBLOX gamer’s authentication cookie, the cookie can be used in a command line argument when starting the ROBLOX software to login from any system as the original gamer without the need to provide additional credentials. For this reason, the hacker must act fast once the malware has extracted the cookie and this is where Discord’s Webhook API helped to speed the communication of that cookie back to the hackers. ROBLOX even recommends that you not give your authentication cookie away.  

ROBLOX Website recommendations

This is also where ROBLOX could install additional security controls to prevent this sort of attack. For example, it could do one or more of the following:

  • Require two-factor authentication for a successful login instead of making it optional as ROBLOX does now (but via email which is not exactly the best backchannel for two-factor authentication). For example, text a secret code to the gamer’s cell phone and require the gamer to enter that secret code into the ROBLOX user interface to complete the authentication. Unfortunately, given that many ROBLOX gamers are young kids, they may not have cell phones.
  • Disable the ability to supply an authentication cookie to the ROBLOX executable
  • Invalidate an authentication cookie if the ROBLOX network detects an attempt to login with while another active session using that cookie exists or when a login attempt is made from a system that is sourced to a completely different Internet connection from the original gamer’s system.

For example, if ROBLOX maintains a log of IP addresses that each gamer uses, then it could warn the user when a login that’s “out of pattern” occurs. At that point, the second system could be challenged with two-factor authentication. 

4. Use the Discord Webhook API to transmit the surreptitiously obtained authentication cookie 

Once the malware exfiltrates an authentication cookie, the clock starts ticking. The cybercrooks have to put it to use before the original session from which it was extracted is closed by the end user (the gamer). In fact, the ROBLOX website advises users to “Always Log Out of Your Account When You’re Done Playing.” While that advice is presented in the context of leaving a machine unattended, Hilt was clear that so long as a session is active, an authentication cookie that was exfiltrated during that session can be used as a login credential.

So, with the clock ticking, the malware then leverages the existing ROBLOX connection to Discord to transmit the authentication cookie back to the cybercriminals. Discord is the underlying communication network that ROBLOX gamers use to communicate with one another. Using Discord’s Webhook API, the malware sets up a connection to the Discord service and transmits the cookie to a Discord channel that’s operated by the hackers.

In this context, the Discord API is being used for illegitimate purposes. But, it is still being used in a legitimate fashion. In other words, the hackers are not breaking into or bypassing the security of the Discord service. In so doing, the hackers are essentially escaping detection because the resulting traffic looks pretty much the same as any other traffic between the ROBLOX client and the Discord service. However, had the cybercrooks chosen some other backchannel over which to exfiltrate the authentication cookie, they might have been detected. This offers some idea of the cleverness and tenacity of cybercriminals who will stop at nothing to achieve an objective, while doing a pretty good job of escaping detection and covering up their tracks at the same time.

It all started with Slack

According to Hilt, it all “started out with me looking into Slack and to see if cybercriminals could use Slack for C&C.”  While he didn’t turn up any nefarious activity along the lines of the abuse found on the Discord and Telegram services, a proof-of-concept (PoC) was developed to prove that Slack could potentially be used for C&C purposes. The outcome, detailed in a report prepared by Trend Micro, proved among other things that it was possible with nothing more than an API key (in other words, OAuth credentials were not necessary) so long as it involved a user who was already an approved user of a Slack channel. The PoC, however, revealed that Slack was also “less than ideal” for C&C. 

According to the report, “While there were no restrictions as to what type of file can be uploaded, the file size was capped at 1GB, with a total upload limit of 5GB. This makes data exfiltration through Slack less than ideal.”

Despite the PoC however, Slack appears to have escaped abuse in the real world which leads to the next obvious question; What is Slack doing technologically or in the way of best practices that might be keeping cybercriminals away from its network (keeping in mind that just because Hilt found no intrusions doesn’t mean it’s not happening)? ProgrammableWeb made contact with Slack to learn more. But, due to the summer holiday schedule, the right people were unavailable for comment. 

One important aspect of Slack is that channels have administrators that, to some extent, act as gatekeepers when it comes to what third party applications are allowed. A Slack administrator might allow the application for Uber because s/he trusts Uber as a brand to have taken whatever precautions are necessary to prevent its application and infrastructure from getting hijacked for nefarious purposes. In the ROBLOX/Discord situation, users are at the mercy of their own discretion. If they choose to download a mod that subsequently hijacks their ROBLOX installation, there’s not much that anybody else can do about it until their anti-malware solution provider (like Trend Micro) updates the local software to address the new threat (as Trend Micro has already done)

This article was first published on ProgrammableWeb.