In this article, we will be taking a closer look into a G2A scam that I’ve seen on the internet. If you’re not familiar with the site, they provide game keys and skins for prices that are usually lower than the retail price. Please note that I do not condone purchasing from this website as their methods of obtaining keys is considered sketchy by some.
This does not change the fact that their site has an estimated visitor count of 35.34 million visitors every month, which means scammers will make attempts to scam its users.
While browsing Reddit, I recently came across a post that claimed to be a “method” for obtaining free items on G2A by using a script to change your timezone and using Bitcoin as payment.
I was intrigued that such an exploit would be unpatched, so I decided to take a look at the script.
At first glance, the script suspiciously is using obfuscated Javascript.
Dropping the obfuscated code into a Javascript deobfuscator revealed that one of the variables contained a Bitcoin address! That seems suspicious for a script that is supposed to change your timezone.
Further examination shows that this script simply changes the Bitcoin address on the G2A checkout page so your cryptocurrency is sent to the scammer/script creator instead of G2A. Upon checking the wallet’s recent transactions on the blockchain, I was relieved to see it has only received $20.
Let this be a lesson. Don’t try to use scripts or programs that claim to abuse bugs in systems. Behavior like that is dishonest and only will give you more problems to deal with down the line. While I find it comical that scammers are scamming people who are attempting to scam websites, this concept was fascinating to me and I thought I would share my findings. Stay honest!
