Jaelights

Slooping dupes over here

Succinct transbien musician behind Lorelei and the Ghost.
Bring me your finest Yuris!





Music Links:
YouTube: https://youtube.com/@Jaelights
SoundCloud:
https://soundcloud.com/jaelights
BandCamp:
https://jaelights.bandcamp.com/



Writing:
https://www.wattpad.com/user/Jaelights



Business Email if you want music:
loreleiandtheghost@gmail.com



Profile Pic by @nomnomnami


wooby
@wooby

it sucks, we're still trying to contact discord and get it fixed. but i wanted to take a second to point out how it happened, because the method they used was a lot more advanced than what i've seen before.


Jaelights
@Jaelights

Read the full write up please, it's important and you need to know about it.

The part that really interested me is the claim that the attackers are going through your chat history to figure out how you talk so they can message your friends while speaking the way you would.

Ooooooooohhh, I highly doubt that, it would be a super inneffcient way to run a scam. That'd be a good few hours on each victim, not efficient at all. You want a computer doing every stage of you scam. Sooooo...you know what can do that? An AI bot hooked into a natural language processor.

Good job generative AI, you continue to make the world a shittier place to be.


You must log in to comment.

in reply to @wooby's post:

I still feel dumb for nearly falling for a discord scam a while ago where they tried to take over my steam account. I didnt think there was anything wrong until i thought hey wait a second why are they telling me to ignore all of the emails saying my account is being signed into on other devices. the scam only had any credibility in the first place because i had my steam account listed on my discord so they were able to be like "hey is this your account?" So i made them all no longer visible

yeah, we work hard to make sure the people we're close to have our contact information in a variety of places - independent of any sharing features.

our threat model is perhaps more serious than most people's, but we just don't like making those things readily visible.

Tried to see what was in place to help make this more difficult; 2FA is huge, but if you get tricked into one of those discord look-a-like sites, it's still possible to mess up

I just tried to change my Discord email, but it can't be changed without clicking a verification link sent to the email, so as long as that doesn't happen, it's possible to password reset/login, etc...

Of course, if you've run an exe, it's likely your session tokens have been compromised anyway... at which point I think you might be SOL if they hijack your email.

Avoiding process escalation (e.g. don't ever "Run as Admin") might help, especially games, but I'm not actually sure if windows applications running in user mode can still read the memory of other processes or random files...

in my girlfriend's case, 2fa was worse than useless. if discord didn't have it she probably would've been able to get back in much easier. but since they cracked her 2fa (i'm still trying to find out how, honestly) she was completely locked out of the account and discord support had to step in, which took a much longer time than it felt like it should've. (no disrespect to discord support, but man they should probably staff people on the night shift.)

the best step that discord should probably take is to ip lock sessions. the hackers in this case were able to plainly steal her entire cookie, use it to impersonate her, then remove access on her end through the client. if the cookie were tied to her ip, this attack wouldn't be possible.

Taking the session would let you login, but you shouldn't have the root seed for the one-time password, and removing MFA from Discord still requires you to authenticate with either your existing generator or a backup code.

It also won't let you change your email without verifying the email first, and same with your phone number if you have that set.

Root seed sound like TOTP. I was assuming discord let you receive notification to your app as a form of MFA, like google do. My understanding about phone number is that you can intercept a text for about $20. Security is hard :(

it's tough to say. in general, it's probably more believable:

  • if you're known to be a programmer/game developer
  • if the game is being hosted by a reputable site (i.e. itch.io or especially steam, etc)
  • if you don't seem very pushy about it ("if you have some time in the future", and also accepting a no)

in the end though, it'll always be a gamble on either side. it sucks! i know how tricky it is to get views on a thing you made. the most important piece is reputability. (which also means you should be sure to lock your account down if you are a gamedev, imagine building that trust up and then getting hacked!)

I think this is terrible advice. Executables and links to download them are not somehow more dangerous sent over Discord compared to any other platform, and Discord is very definitely not the only platform to be plagued with phishing attacks. Contacting someone through channels you don't normally talk to them through and telling them to download something is going to be incredibly suspicious to anybody

I mean in addition to discord. If a friend of mine sent me an executable and asked me to run it the first thing I would do is text them or call them elsewhere and have them confirm they sent me a file and intended to run it. The chances that they had multiple accounts breached is lower if they're following good password/2fa practice, so I can be more confident my actual friend who doesn't want to hack my account is sending me the file.

Feel free to follow whatever practices make sense to you.

Well I guess that can makes some sense! But the way you phrased definitely didn't make that clear XP Still, getting an email broken into means, for most people, that their other accounts fall as well, so I don't think it's a foolproof strategy. Doesn't hurt though, and I feel like most attackers wouldn't go through that much effort unless they were targeting you in particular, but you never know!

In this case (and from what I understand many discord account hacks) the victims email wasn't breached, rather their session cookie was captured and used to log into the account, change the email/password, etc.

You're correct if someone's email was breached and they weren't using MFA on other accounts as a protection (or that MFA was configured to send email codes as a backup) then they would be able to breach nearly anything. That's why I'd personally call my friend on the phone like a boomer, because most attackers aren't dedicated enough for an individual target to hijack that.

If you're suggesting the simpler advice of "don't execute files your friends send to you" then I'd agree that's good practice. Assuming you might want to some day, I'd suggest doing more than just trusting the initial message to be secure.

I narrowly avoided getting got by this (or a similar scam) bc I have the disease where I never ever ever follow-up on any of my friend's recommendations, and shortly after the initial convo another friend of mine pointed out how sus it was (she'd gotten the same DM) & I realized it was a scam.

Another awful side-effect is there are probably legit people reaching out for actual testers so the real devs are gonna suffer, whilst the scammers keep going. This just makes me distrust any form of advertising even harder.

Sorry about your girlfriend's account, that really sucks, I hope she can get it back soon.

in reply to @Jaelights's post:

to be fair, they can get a general gist of your typing style in a few seconds just by reading through your previous messages. the style won't match 100%, which is a giveaway sometimes -- my girlfriend doesn't really use any improper grammar, so it was weird when the scammer said "i can ask you for help with something?". i sort of doubt they're using generative AI for this part of the scam, though it would make sense for them to fit it into other parts. I could see an AI being used to throw the faux website together pretty quickly.

It’s less about the complexity of matching someone’s style and more the fact it isn’t practical. If I do something like this manually I can only run one low probability scam at a time. If I have a bot that does it I can do hundreds, if not thousands, of low probability scams at a time. This increasing my odds that one of those many many lines will hook a fish.

Scammers are playing a numbers games, the more possible targets they can generate per hour the better. If using generative AI to make a more realistic sounding bit helps (and it does) then they’re going to use it.

That’s why I suspect what I do.

i still kinda doubt it, personally. in our case the scammer was some random kid from Brazil. i know they were running it manually because it took them a long while to get around to most people in the friends list - there was a good 3 hour gap between me receiving the initial text and another friend of mine receiving it. i don't doubt that some of them would use generative AI, but i think the more likely answer is either that the hack tool is being sold as a kit (meaning there could be any number of ways to run the scam) or that there's huge teams of scammers that are trained very little and given commission for how much money they squeeze out of the victims. then you wouldn't need generative AI; it's a room full of typewriting monkeys.

You make many good points, I still respectfully disagree…. But I also like to think reasonable minds can differ :).

Either way, I want to thank you for the general heads up. Regardless of the exact method of execution, I was totally unaware that this could happen on Discord. So the warning is very much appreciated!!