Sutekh94

@Sutekh94

He / Him
linktr.ee/sutekh94

Average artist and writer. He/him. Bi. BLM, ACAB, trans rights, anti-crypto, and all that jazz.

Sutekh94 @Sutekh943/5/2024, 9:06 PM

Shadow Hog @ShadowHog

@wooby3/5/2024, 9:15 AM

so, my girlfriend's discord account got hacked

it sucks, we're still trying to contact discord and get it fixed. but i wanted to take a second to point out how it happened, because the method they used was a lot more advanced than what i've seen before.

you might be familiar with an older scam that was rampant on the platform a few years ago -- you'd see a message from a friend claiming they were trying their hand at programming, perhaps, and that they'd made a "cool game" they want you to try out. (or really any sort of cover story.) bottom line is, they'd have a zip file for you to download, and upon running the exe inside it'd hijack your session credentials and send it over to the scammers, who could then log in, change your password, reset your 2fa, and you're SOL.

of course, discord's taken measures to limit this since then -- uploading seemingly any zip file with an exe inside gets the whole message completely eradicated (and replaced with a link to a random recipe? there's probably an in-joke i'm missing.) so they can't use that cover story anymore! they got craftier.

the new hotness

sancticide (that link's safe, it leads to a steam store page -- but if your gut didn't catch that, it's good to re-evaluate why!) might be a real game. i'm not sure, but it does look like there's been some legitimate articles covering it published in the past few days. however, the only noteworthy thing about this game as far as i can tell is that it doesn't seem to have an actual website. there's the steam page, a bunch of articles talking about its announcement, and then other unrelated junk.

it's perfect real estate for a target!

so the new grift, it seems, is to launch a website that looks like the right thing. add some screenshots from the steam page, copy the description, and add a download for a malicious payload, masqueraded as a demo. just on its own, that's pretty vile! but to take it a step further, they then take what good accounts they have -- previous victims -- and send their friends the site, with a plea to download it. (in this case, i received a message asking me to sign up for an account using a referral code, so "my girlfriend" could get past a mission. i don't want to think about the implications of a game with a mission like that.)

in both cases, the scammer is feeding off the good will of others to help them out. friends help friends, and they're your friend, right? it's awful and predatory, but stepping back from that it's honestly quite an impressive system. they'll go back and read previous DMs to get a sense of how the victim talks, use frequent emoji, do whatever to prove they're your friend, download the game, it'll only take a few minutes. it sucks.

what's their end goal, anyways?

money. they're in the business of misery. more specifically, in our case the scammer continued to use the account to send out more fraudulent links, and then when i called their bullshit out, tried to arrange a deal with my girlfriend (and then later with me), asking for an outrageous sum of money in return for not nuking her account. (they then, of course, lowered their asking sum further and further, in an attempt to get any amount out of us at all.)

so what do i do about this?

if you've been hacked: as quickly as you can, attempt to change or reset your password and, if successful, kick off any and all other sessions. (you can look up a guide to do this, but in short: go to the settings, click "devices", and click the X next to each device that isn't the current one. you'll have to log back in on your other devices afterwards, but better safe than sorry). if you can't reset your password there's not much you can do other than contact discord support, as far as i know. good luck. you'll want to call your bank and tell them about it if you have your credit card hooked up -- they could run up a fortune buying nitro. also consider changing your passwords on any linked social media, especially if it's the same as your discord password.
if your friend has definitely been hacked: don't engage with the scammer! they are not at all obliged to keep any promises they make, and if they know you'll pay they'll squeeze every last dollar they can out of you. instead, contact your friends: let them know your friend's been hacked, tell them not to click any links, kick them from servers if you can. give them as few entry points into future victims as possible.
if you receive a link from a friend that you don't 100% trust: don't click that shit!! scan links, every time. make sure you're going to steampowered.com and not stearnpowered.com, etc etc. be vigilant, even if it's someone you've known for years.
if you're reading this and you aren't convinced you'd fall for this: beware! i almost fell for this one, and i'm one of the most paranoid computer users in my friend groups! these scams only ever get craftier and more convincing. use your head, trust your gut, don't click links.

above all else, follow common advice. use secure, unique passwords on every site. use a password manager. use 2fa. 3fa, if it's available. don't click strange links. away from computer safety, have two points of contact for your loved ones. signal, twitter dms, facebook messenger if you're old, whatever you use. i wouldn't have been able to talk to my gf again if i didn't have her phone number (she's too far away).

and whatever you do, please, please stay safe out there.

update mar. 5 2024 @733

my girlfriend got her account back! for anyone in her situation: you need to send a support ticket to discord using the email originally associated with your account. otherwise, they'll reject the ticket. it's still not a guarantee, unfortunately, but it's what worked for my girlfriend.

#discord #scams

You must log in to comment.

in reply to @wooby's post:

Kran'ts Ton @sudo-EatPant3/5/2024, 4:38 PM

I still feel dumb for nearly falling for a discord scam a while ago where they tried to take over my steam account. I didnt think there was anything wrong until i thought hey wait a second why are they telling me to ignore all of the emails saying my account is being signed into on other devices. the scam only had any credibility in the first place because i had my steam account listed on my discord so they were able to be like "hey is this your account?" So i made them all no longer visible

@Zutaca3/5/2024, 5:05 PM

I see the reasoning behind doing that, but that also takes away an alternate method of contact in case you do get hacked

Irenes (many)@ireneista3/6/2024, 8:49 PM

yeah, we work hard to make sure the people we're close to have our contact information in a variety of places - independent of any sharing features.

our threat model is perhaps more serious than most people's, but we just don't like making those things readily visible.

Variant @variantxyz3/6/2024, 2:41 AM

Tried to see what was in place to help make this more difficult; 2FA is huge, but if you get tricked into one of those discord look-a-like sites, it's still possible to mess up

I just tried to change my Discord email, but it can't be changed without clicking a verification link sent to the email, so as long as that doesn't happen, it's possible to password reset/login, etc...

Of course, if you've run an exe, it's likely your session tokens have been compromised anyway... at which point I think you might be SOL if they hijack your email.

Avoiding process escalation (e.g. don't ever "Run as Admin") might help, especially games, but I'm not actually sure if windows applications running in user mode can still read the memory of other processes or random files...

@wooby3/6/2024, 4:10 AM

in my girlfriend's case, 2fa was worse than useless. if discord didn't have it she probably would've been able to get back in much easier. but since they cracked her 2fa (i'm still trying to find out how, honestly) she was completely locked out of the account and discord support had to step in, which took a much longer time than it felt like it should've. (no disrespect to discord support, but man they should probably staff people on the night shift.)

the best step that discord should probably take is to ip lock sessions. the hackers in this case were able to plainly steal her entire cookie, use it to impersonate her, then remove access on her end through the client. if the cookie were tied to her ip, this attack wouldn't be possible.

@gkrnours3/6/2024, 6:09 AM

If the 2fa is the app, hijacking the session means hijacking the 2FA

Variant @variantxyz3/6/2024, 4:35 PM

Taking the session would let you login, but you shouldn't have the root seed for the one-time password, and removing MFA from Discord still requires you to authenticate with either your existing generator or a backup code.

It also won't let you change your email without verifying the email first, and same with your phone number if you have that set.

@gkrnours3/7/2024, 8:14 PM

Root seed sound like TOTP. I was assuming discord let you receive notification to your app as a form of MFA, like google do. My understanding about phone number is that you can intercept a text for about $20. Security is hard :(

Variant @variantxyz3/7/2024, 9:53 PM

Sorry, yeah it does let you go the phone route too; I just have OTP setup so I just said "MFA" assuming OTP and not the text code or app check.

Millie(let)@Gyro3/6/2024, 2:48 AM

Is there a way to tell friends about my game when I'm done developing it that won't make me look like a bot proffering a virus?

@wooby3/6/2024, 4:05 AM

it's tough to say. in general, it's probably more believable:

if you're known to be a programmer/game developer
if the game is being hosted by a reputable site (i.e. itch.io or especially steam, etc)
if you don't seem very pushy about it ("if you have some time in the future", and also accepting a no)

in the end though, it'll always be a gamble on either side. it sucks! i know how tricky it is to get views on a thing you made. the most important piece is reputability. (which also means you should be sure to lock your account down if you are a gamedev, imagine building that trust up and then getting hacked!)

farrowking37 @farrowking373/6/2024, 4:28 AM

Honestly I'd contact someone out of band (i.e. on a platform other than discord) if you're planning on sending them an executable letting them know that it's safe to download.

Spunney @Spunney-commenting3/6/2024, 3:24 PM

I think this is terrible advice. Executables and links to download them are not somehow more dangerous sent over Discord compared to any other platform, and Discord is very definitely not the only platform to be plagued with phishing attacks. Contacting someone through channels you don't normally talk to them through and telling them to download something is going to be incredibly suspicious to anybody

farrowking37 @farrowking373/6/2024, 4:28 PM

I mean in addition to discord. If a friend of mine sent me an executable and asked me to run it the first thing I would do is text them or call them elsewhere and have them confirm they sent me a file and intended to run it. The chances that they had multiple accounts breached is lower if they're following good password/2fa practice, so I can be more confident my actual friend who doesn't want to hack my account is sending me the file.

Feel free to follow whatever practices make sense to you.

Spunney @Spunney-commenting3/6/2024, 4:50 PM

Well I guess that can makes some sense! But the way you phrased definitely didn't make that clear XP Still, getting an email broken into means, for most people, that their other accounts fall as well, so I don't think it's a foolproof strategy. Doesn't hurt though, and I feel like most attackers wouldn't go through that much effort unless they were targeting you in particular, but you never know!

farrowking37 @farrowking373/6/2024, 5:15 PM

In this case (and from what I understand many discord account hacks) the victims email wasn't breached, rather their session cookie was captured and used to log into the account, change the email/password, etc.

You're correct if someone's email was breached and they weren't using MFA on other accounts as a protection (or that MFA was configured to send email codes as a backup) then they would be able to breach nearly anything. That's why I'd personally call my friend on the phone like a boomer, because most attackers aren't dedicated enough for an individual target to hijack that.

If you're suggesting the simpler advice of "don't execute files your friends send to you" then I'd agree that's good practice. Assuming you might want to some day, I'd suggest doing more than just trusting the initial message to be secure.

Pineapple Morgan @musings-of-morgan3/6/2024, 8:51 PM

I narrowly avoided getting got by this (or a similar scam) bc I have the disease where I never ever ever follow-up on any of my friend's recommendations, and shortly after the initial convo another friend of mine pointed out how sus it was (she'd gotten the same DM) & I realized it was a scam.

FinalGamerJames*@finalgamerjames3/8/2024, 4:38 AM

Another awful side-effect is there are probably legit people reaching out for actual testers so the real devs are gonna suffer, whilst the scammers keep going. This just makes me distrust any form of advertising even harder.

Sorry about your girlfriend's account, that really sucks, I hope she can get it back soon.