Cybersecurity solution provider Trend Micro has issued a report that highlights how chat platform APIs can and are being used by cybercriminals to achieve their nefarious objectives. Because of the degree to which Webhook APIs are involved (an API attack vector not previously discussed on ProgrammableWeb), the warnings and incidents should serve as a wake-up call to API providers and developers when it comes to the sorts of best practices and ongoing vigilance it takes to fully secure their customers and systems. Provided that the incentives are worth it, ill-intentioned hackers will stop at nothing to breach an API or, as happened in this case, use it for its intended purpose to help perpetrate an attack.
The headline that caught my attention -- Criminals Drain Cash from ROBLOX Gamers -- came from InfoSecurity-Magazine.com. But it was the article's summary that really nabbed me; "The criminals are using an API in the chat platform, called Discord, to steal browser cookies containing ROBLOX login credentials." As it turns out, that summary isn't entirely accurate. It would have been more accurate to say that the criminals used Discord and its Webhook API as the getaway car once the credentials were already stolen with malware. As a side note, malware and phishing often play a role in the API-related attacks that we report on here at ProgramnableWeb (which speaks to the need for a strong, layered security approach).
Discord is a fantastically viral communication platform that in recent years has been supplanting Skype as the preferred form of text and voice communication among gamers who play multiplayer games. Through Discord's APIs, game platform providers are able build those communications directly into the game context as though they're an integral part of the game's fabric. It is incredibly important to note that Discord's API itself was not breached as a part of this particular break-in. Rather, it was legitimately used by the cyberciminals in order to blend in with the community of gamers much the same way a pickpocket might use store-bought clothing to blend in with pedestrian street traffic in order to escape detection.
Once the cybercriminals escape such detection, they're able to use stolen credentials to login to the accounts of ROBLOX gamers and siphon the platform's currency (ROBUX) from those accounts. Like with other gaming platforms, that currency has a real-world cash value so there's a real incentive for unscrupulous hackers to gain unauthorized access to those accounts.
Similar to other API-related transgressions that ProgrammableWeb has reported on, the ROBLOX incident demonstrates the tenacity and sophistication of the attackers. Trend Micro senior threat researcher Stephen Hilt told ProgrammableWeb that hackers also use unauthorized game account access in order to "filter money laundering through game currencies." Hilt also emphasized that, while this incident involving ROBLOX and Discord is significant, the larger pattern of blending in with existing text and voice communications channels in order to exercise the sort of command and control (C&C) that's typical of large scale botnet like attacks is the uber-trend to watch. Hilt noted Telegram and Slack as other Discord-like solutions that could be similarly targeted. Telegram, Hilt noted, has played a C&C role in attacks that involved the KillDisk ransomware. But to date, he knows of no similar intrusions that relied on Slack.
Anatomy of a ROBLOX-Discord Attack Using Webhooks
For API stakeholders, there is probably no better way to secure your APIs and infrastructure than to understand how your potential enemies perpetrate their attacks. So, to help you gain a better understanding of the ROBLOX-Discord attack, we've broken down its workflow.
1. Create downloadable malware that takes advantage of the game In this case, the perpetrators created malware that according to Trend Micro's Hilt, was "disguised as ROBLOX modding software." In the online gaming world, everything gets better including chances of winning when gamers take advantage of downloads called "mods" (short for "modifications"). Infecting an installation of ROBLOX on someone's PC is as simple as getting them to add the modification by starting the program from the command line with some additional parameters that load the mods. In this case, the mod was available through an online forum that was independent of ROBLOX. However, regardless of the gaming platform, mods are often acquired through such independent forums which makes it difficult for the provider of the gaming platform to validate all mods as being safe..
2. Prey on unsuspecting and vulnerable victims One reason the ROBLOX-Discord attack was successful is that the majority of the gamers on the platform are kids and kids are more likely to take risks in order to gain an edge in multiplayer video gaming. So, unlike with adults, many of whom are trained to suspect anything that looks like a download, if kids think a mod will help them win more games or improve their ranking, they are more likely to download and install a mod. According to Hilt, the cybercriminals took the extra step of "showing how their executable outputs were clean" to reassure users that it wasn't malware.