WARNING: Ongoing Discord phishing

[Pandut]

There's an extremely organized mass-scale phishing attack occurring on discord atm. It started on Labor Day (Sep 6th) but it appears there have been smaller attacks happening all the way back to June. The attackers are specifically targeting the game dev community, in order to get people to download and run their "game". From what I understand, this "game" is a keylogger and some sort of crypto miner that as of right now cannot be recognized by anti-viruses. The only way to remove it is via a full system wipe. This malware will steal your Discord info and also harvest any login information/cookies saved to your browser.

Information is scattered right now, but the best I could make sense of it was this twitter post -- https://twitter.com/PhleBuster/status/1 ... 5267188741

Social engineering is playing a massive role in this which looks like its the only means of infection. These people will take control of an account, pretend to be that person and try to pass their "game" along to as many people as possible.

Please be careful, everyone! If someone you know has been compromised, block them immediately, do not click on any links or download any files they give you. I know we were all taught about this classic phishing scheme when we were younger, but it looks like the scheme has gotten so old and dated that it actually works again.

[Rachael]

Not that I am trying to downplay the seriousness of the threat - but there are constantly Discord attacks occurring on a large scale. And the alarm is sounded so often on it that it really becomes a situation of the boy who cried wolf.

Unfortunately, this epidemic of attacks is something that will have to be addressed by Discord themselves, directly, by making login tokens harder to steal, and also if they are stolen, to verify their point of origin similar to what most other online services do already, and invalidate the token when geographic characteristics of a person change too much.

If you posted about every single phishing attack campaign targeting Discord users on this forum though - this forum would be nothing but. It reminds me of the earlier days of Windows when it first started maturing into a full operating system - around the time of the 95/NT days and several years after that - malware attacks happening so often it was all you ever saw when Tech was discussed on the news. Well - guess what - a lot of people used Windows, still do, a lot of people use Discord, so Discord Windows users are a ripe target. Funny how so little has changed in a whole nearly 3 decades.

So the basic rules of internet security applies, as always - don't download or run programs you don't trust, and always be vigilant of others acting suspicious, and don't accept anything from them when they do. If they do send you something out of the blue, engage them in a conversation and try and pick up their pattern of behavior - try and get a feel for if it really is them. If in doubt, use a security feature in Windows such as the Windows Sandbox to test the program, and do not run it on your actual machine.

Remember - anyone can be hacked - even the most paranoid and vigilant person out there - so be careful who you trust and always pay attention to how they act so that you know when something is amiss. It's not that you can't trust anyone - it's more that you have to be sure the person talking to you really is who you think they are and do trust.

[Matt]

Thanks for the response, Rachael... these dire but example-less warnings I've been seeing going viral(!) lately have been causing a lot of FUD without providing any really actionable information. I thought I was somehow missing something new and game-changing this time but apparently that's not the case. (that Twitter thread itself contains nothing usable and links to another Twitter thread I can't even see!)

[Rachael]

Yes. A year or two ago it became a situation where pretty much every week there seemed to be a new phishing attack. Well ... if you warn people too often, they stop listening to warnings. 200 warnings is not going to get people to take the steps to secure their system any better than 3. In fact, it often has the reverse effect.

So a better course of action is to simply hold firm to basic security principles, and hope that people will follow. But failing that - you deal with each situation as it comes, rather than to try and preempt it with FUD.

[nova++]

Sounds easily preventable with a reasonable dose of common sense...?

Good thing I'm too much of a mess of nerves to be in any discord servers where anyone would try to push this on me.

...

[Graf Zahl]

Sounds easily preventable with a reasonable dose of common sense...?

Which is a proven fact that many people do not have that.
Some people are so utterly clueless they'd fall for anything that tries to con them out of their money or their private passwords or whatever else the perpetrator wants.

[nova++]

Yeah I was waffling on whether I should have phrased it as "(un)common sense"

I do know a friend of a friend got hit by this so I shouldn't be toooo harsh

...But also - I know a nigerian prince who would like your discord account details...

[Rachael]

Which is a proven fact that many people do not have that.
Some people are so utterly clueless they'd fall for anything that tries to con them out of their money or their private passwords or whatever else the perpetrator wants.

Which is the biggest and most widespread vulnerability in any system. People.

With enough charm, guile, and wit, almost anything is possible. Don't believe me?

I've been pushing for this to be required viewing in any basic computing as well as any internet or physical security course. Yes - it really is that easy.

[Enjay]

Yup, that's a very good video.

I've got a couple of friends who work in cyber security and they do quite a bit of pen testing. Often within minutes they are in to the systems of some organisations where getting in really, really shouldn't be as easy as that (including once their own head office ). Usually the weak spot is indeed the people. Like ridiculously and blatantly so - when you hear the stories you think "nah, no way that worked" but it does. It always does.

[wildweasel]

I've seen enough people almost get fooled by this that I think it's worth spreading the knowledge. Some folks could use the reminder, in any case.

Not that I expect I'll get fooled by this myself (my default response to "can you test this game for me" is "maybe later", followed by my forgetting about it entirely), but if anybody claiming to be me wants you to test a game that "I've" made, that's a flat out lie. I haven't worked on any games or anything of consequence since 2018.

[Redneckerz]

I haven't worked on any games or anything of consequence since 2018.

Imagine how surprised and excited people would be if the great WildWeasel was working on a new game!

[leileilol]

When in doubt, don't forget to use your personal copy protection: in-jokes

[yum13241]

like at this rate, tech education should be mandatory cuz i could literally take Hydra.exe, rename it to hydrasonicgame.exe, and people would fall for it. (not like i would do this here, just saying, im not risking a ban).