A somewhat “new” type of scamming appeared. Despite the method being used a lot in scamming games and sites that don’t look too similar to roblox’s (fake robux generators) site. Quoting the word new as it could be an already known way just not noted down here.
Although I am not certain If this method also logs cookies or not, It would seem this way as the people that I have talked to that opened the site without entering their information seemingly got logged, I’ll have to check the site using a VM or if someone is ahead of me with that it would be appreciated if it were to be shared.
Now onto the logging method, scammers/loggers have been sending wvvw-roblox.com links to users.
notice how it isn’t www. but wvvw-in the link. Of course you might think that this is simply avoidable by looking at the link directly, despite that the link embeds to a “roblox” website which then tells you to log in it is really easy to fall for this if the link isn’t sent inside a code block which you will see in the screenshot below.
To further clarify, the link given in there is FAKE the account shown in the embed IS NOT the account linked to the actual userId shown in the URL, that’s the case with if not all then most of these. you can easily back track it by looking up the username and matching the url Ids.
The discord account however seems to be a person that has tried to scam multiple people, I’m not aware of their full discord tag just beware of it.
The users their username, userid and character that are used are often not aware of the situation. perhaps one of the 3 connects to the actual account but there’s no way to be sure of that.
tl;dr
Read what links get sent in your dms (it be twitter, discord, whatever) before opening them, It’s apparently really easy to overlook the url’s off appearance due to the embed and the url containing roblox.com in it.
This means that the browser will not let client sided scripts access your cookies through something like document.cookie. This also means that if an attacker is running an xss vuln they cannot directly fetch the cookie from your browser. However with the way roblox authtickets work the attacker can get around this security by simply requesting an authticket and redeeming it. You can test yourself here: Authentication Api
The redemption endpoint returns a .ROBLOSECURITY cookie in the response itself which is available to clientside scripts thus circumventing what HttpOnly prevented in the first place. This method has been used in a variety of scams quite recently and it is sad to see that many developers have fallen victim to it.
If someone asks you to run any sort of javascript on your end, be aware that HttpOnly is easily circumvented on roblox.
Is it possible to get your cookies stolen from clicking on a link? There was a link going around on discord that would embed as the roblox main site, it could have possibily been a phising thing or something but im just wondering if I have to be wary of clicking on links or is it just downloading stuff
I’ve heard reports similar to these where people would get logged by just clicking a link. This shouldn’t be possible but with todays technology my comment should be taken with a grain of salt. nonetheless I do know that sites can inject tracking cookies which then can post e.g. ads on the sites you visit for them. perhaps this method has been exploited to grab session data and information from your current session which at this point wouldn’t surprise me but im not taking this method into consideration atm.
Sites can unexpectedly also download something for you without you knowing it. If your security settings aren’t optimally set up you could’ve suddenly gotten something malicious on your computer which from there is able to retrieve cookie data from your browser, this is a common method as a malicious file can be hidden as any type of file. before you know it you’ve downloaded a png with a hidden executable in it.
Can roblox just put an ultimate block to this? It happens too frequently. Is there a way for you guys to have an option for a backup 8-digit password that can allow you back into your account even if you were hacked?
i know had a problem with roblox webpage if you type roblox.com I was taken to some game site a weird looking site could you know what and why this was?
Like @PlaxiteRBX said, it appears that the link is a phishing link. It takes the Roblox website, but shows that you are logged out. Entering your account details will usually direct you back to the normal Roblox website, so the victims won’t know right away that their details were stolen.
Fun fact: Most of the time, these phishing websites are connected to a Discord webhook. You are able to report that to their support (or better yet, delete it yourself) to prevent others from falling for this.
Files in general should be decently safe to send over as long as you’re aware there’s no sensitive info inside of the file. As far as I know people can’t just get access to your HAR files from a sent PDF.
Keep note that these scammers that ask for a HAR file usually ask others to “change the filetype” to make it seem less suspicious (such as changing .har to .rbxm, .pdf or .png) This won’t actually change the filetype but make it seem like it’s a file like that so they’re less prone to termination.
So story short, you can always send files over as long as they don’t contain sensitive info and as long as they’re the targeted filetype. if someone asks you to change the filetype (which is in a decently late but still recoverable stage) that’s where you should consider a red flag and report the user.
I had a couple of questions and theories about this.
• Could you get cookie logged on mobile?
• If you log out of the website but your still playing a game on Roblox can you still get cookie logged
• Does cookie log only work on one device (like if I’m login on my phone but signed out on a pc and I get cookie logged on a pc can I get hacked?)
• If we log out of our Roblox account we basically can’t get hacked right, because no cookies available.
Yes, you can get cookie logged on mobile, because every web browser no matter which device uses cookies
No, because the login/security cookie got deleted then.
That question makes no sense. Your login cookie is on every device the same and only refreshes if you use the security log out out of all other devices and then log out on your device too.
Ok lemme reword it. I meant if your not logged on to your account on a PC, but you get cookie logged on a pc, but your logged on your phone. Can they take your cookie.
