sharksonaplane

sharks + planes as formerly seen on Twitter

@sharksonaplane

Sharyna Tran

Sharks are cool and comfortable!

Elden Thing | Back & Body Hurts Platinugggggh Rewards Member

Profile pic and banner credits: sharkaeopteryx art by @superkiak! eggbug by eggbug! Mash-up by me!
[Alt-text for pfp: a cute sharkaeopteryx sat on the ground with legs out, wings down, jaw ajar, and hed empty, looking at eggbug and eggbug's enigmatic smile.]
[Alt-text for banner: a Spirit Halloween banner with eggbug and the sharkaeopteryx that Superkiak drew for me looking at it with inscrutable expressions]

I'm a Vietnamese cis woman born and currently living in the U.S. You may know me from Sandwich, from Twitter or Mastodon (same username), or on Twitch as Sharkaeopteryx. I do not have a Discord or Bluesky account.

Ask me about language learning/teaching, cooking/eating food, late diagnosis ADHD, and volunteer small business mentoring. Or don't, I'm not the boss of you.

I think people deserve to be young, make mistakes, and grow without being held to standards they don't know about yet and are still learning. So, if you are under 22, please don't try to strike up a friendship or get involved in discussions on my posts.

Please don't automatically assume I follow/know/co-sign someone just because I reposted something from them—sometimes I do, sometimes I don't. Also, if you think being removed as a follower when we're not mutuals is a cardinal sin, please do not follow me.

log inask
🐘Mastodon
search for @sharksonaplane@mastodon.sandwich.net and hit follow if you want
Hang out with me on the Auldnoir forum! (you can DM there!)
discourse.auldnoir.org/
Sign my Cohost yearbook 📝
recocards.com/board/cohost-yearbook-sharksonaplane-94772758696c
Follow me on Twitch
twitch.tv/sharkaeopteryx
Add my RSS feed (not working yet but I'll get to it!)
sharkaeopteryx.neocities.org/rss.xml
My Throne link
throne.com/sharkaeopteryx
My Ko-fi link
www.ko-fi.com/sharkaeopteryx
sharksonaplane
@sharksonaplane
mechalink
@mechalink
wooby
@wooby

so, my girlfriend's discord account got hacked

it sucks, we're still trying to contact discord and get it fixed. but i wanted to take a second to point out how it happened, because the method they used was a lot more advanced than what i've seen before.

Emptyeye
@Emptyeye

This Bit Near The End Bears Repeating:

"if you're reading this and you aren't convinced you'd fall for this: beware! i almost fell for this one, and i'm one of the most paranoid computer users in my friend groups! these scams only ever get craftier and more convincing. use your head, trust your gut, don't click links."

Thankfully, I have never been "truly" phished/hacked/etc.

However, the various places I've worked over the years will, to make sure people are paying attention/staying diligent, send out simulated phishing attacks. If you click one, you're basically told "YOU FAIL!" and have to go through some kind of "cybersecurity class" (The e-mail for which, incidentally, shares many of the same red flags as the simulated phishing attempt you fell for, but that's a separate discussion).

I am not ashamed to admit I have been Sim-Phished and had to take those classes.

Multiple times.

You probably, in your head right now, have a stereotype of the kind of person you'd think would fall for this, let alone multiple times. I don't think I fit that stereotype.

And yet.

To be clear, the classes weren't anything I didn't already know. But it just takes one moment of weakness. A lapse in concentration--maybe you're coming back from a vacation mindless clicking through your e-mails and something catches your eye. Maybe you're stressed out thinking about other things and your Spidey Sense isn't going off when you get that Discord DM from a known friendly account. Any number of other factors.

My point is, you are not immune to this, and perhaps almost as importantly, getting scammed is not a sign you're stupid or a shame point--these scams and phishing attempts are good. The second "Sim-Phish" that got me also got a lot of other people at the company I work for, none of whom I would call stupid.

Seriously. Stay safe and vigilant out on this wild Internet.

mechalink
@mechalink

Everyone is vulnerable

There are a lot of people who think being vulnerable to something proves something it doesn't.

  • People who think crafting a research paper that is false ever being accepted is proof that that scientific field is not real.
  • People who are judgmental about being hacked thinking only dumb people get social engineered.
  • People who think being sick is a moral failing.
  • People who think being poor, or close to poor, is a moral failing.

This is all foolish behavior. Being vulnerable is partly a function of the system you are in, and partly a function of the system you are. People with kids are more likely to be sick. People under stress are more vulnerable to social engineering. People in a capitalist society without safety nets are more vulnerable to poverty.

Techniques that are taught and practiced to the point of unconsciousness are the best weapons, but nobody is invulnerable. No judgment, just helping people improve their technique.

You must log in to comment.

in reply to @wooby's post:

sudo-EatPant
@sudo-EatPant

I still feel dumb for nearly falling for a discord scam a while ago where they tried to take over my steam account. I didnt think there was anything wrong until i thought hey wait a second why are they telling me to ignore all of the emails saying my account is being signed into on other devices. the scam only had any credibility in the first place because i had my steam account listed on my discord so they were able to be like "hey is this your account?" So i made them all no longer visible

login to reply
ireneista
@ireneista

yeah, we work hard to make sure the people we're close to have our contact information in a variety of places - independent of any sharing features.

our threat model is perhaps more serious than most people's, but we just don't like making those things readily visible.

login to reply
variantxyz
@variantxyz

Tried to see what was in place to help make this more difficult; 2FA is huge, but if you get tricked into one of those discord look-a-like sites, it's still possible to mess up

I just tried to change my Discord email, but it can't be changed without clicking a verification link sent to the email, so as long as that doesn't happen, it's possible to password reset/login, etc...

Of course, if you've run an exe, it's likely your session tokens have been compromised anyway... at which point I think you might be SOL if they hijack your email.

Avoiding process escalation (e.g. don't ever "Run as Admin") might help, especially games, but I'm not actually sure if windows applications running in user mode can still read the memory of other processes or random files...

login to reply
wooby
@wooby

in my girlfriend's case, 2fa was worse than useless. if discord didn't have it she probably would've been able to get back in much easier. but since they cracked her 2fa (i'm still trying to find out how, honestly) she was completely locked out of the account and discord support had to step in, which took a much longer time than it felt like it should've. (no disrespect to discord support, but man they should probably staff people on the night shift.)

the best step that discord should probably take is to ip lock sessions. the hackers in this case were able to plainly steal her entire cookie, use it to impersonate her, then remove access on her end through the client. if the cookie were tied to her ip, this attack wouldn't be possible.

login to reply
variantxyz
@variantxyz

Taking the session would let you login, but you shouldn't have the root seed for the one-time password, and removing MFA from Discord still requires you to authenticate with either your existing generator or a backup code.

It also won't let you change your email without verifying the email first, and same with your phone number if you have that set.

login to reply
gkrnours
@gkrnours

Root seed sound like TOTP. I was assuming discord let you receive notification to your app as a form of MFA, like google do. My understanding about phone number is that you can intercept a text for about $20. Security is hard :(

login to reply
wooby
@wooby

it's tough to say. in general, it's probably more believable:

  • if you're known to be a programmer/game developer
  • if the game is being hosted by a reputable site (i.e. itch.io or especially steam, etc)
  • if you don't seem very pushy about it ("if you have some time in the future", and also accepting a no)

in the end though, it'll always be a gamble on either side. it sucks! i know how tricky it is to get views on a thing you made. the most important piece is reputability. (which also means you should be sure to lock your account down if you are a gamedev, imagine building that trust up and then getting hacked!)

login to reply
Spunney-commenting
@Spunney-commenting

I think this is terrible advice. Executables and links to download them are not somehow more dangerous sent over Discord compared to any other platform, and Discord is very definitely not the only platform to be plagued with phishing attacks. Contacting someone through channels you don't normally talk to them through and telling them to download something is going to be incredibly suspicious to anybody

login to reply
farrowking37
@farrowking37

I mean in addition to discord. If a friend of mine sent me an executable and asked me to run it the first thing I would do is text them or call them elsewhere and have them confirm they sent me a file and intended to run it. The chances that they had multiple accounts breached is lower if they're following good password/2fa practice, so I can be more confident my actual friend who doesn't want to hack my account is sending me the file.

Feel free to follow whatever practices make sense to you.

login to reply
Spunney-commenting
@Spunney-commenting

Well I guess that can makes some sense! But the way you phrased definitely didn't make that clear XP Still, getting an email broken into means, for most people, that their other accounts fall as well, so I don't think it's a foolproof strategy. Doesn't hurt though, and I feel like most attackers wouldn't go through that much effort unless they were targeting you in particular, but you never know!

login to reply
farrowking37
@farrowking37

In this case (and from what I understand many discord account hacks) the victims email wasn't breached, rather their session cookie was captured and used to log into the account, change the email/password, etc.

You're correct if someone's email was breached and they weren't using MFA on other accounts as a protection (or that MFA was configured to send email codes as a backup) then they would be able to breach nearly anything. That's why I'd personally call my friend on the phone like a boomer, because most attackers aren't dedicated enough for an individual target to hijack that.

If you're suggesting the simpler advice of "don't execute files your friends send to you" then I'd agree that's good practice. Assuming you might want to some day, I'd suggest doing more than just trusting the initial message to be secure.

login to reply
musings-of-morgan
@musings-of-morgan

I narrowly avoided getting got by this (or a similar scam) bc I have the disease where I never ever ever follow-up on any of my friend's recommendations, and shortly after the initial convo another friend of mine pointed out how sus it was (she'd gotten the same DM) & I realized it was a scam.

login to reply
finalgamerjames
@finalgamerjames

Another awful side-effect is there are probably legit people reaching out for actual testers so the real devs are gonna suffer, whilst the scammers keep going. This just makes me distrust any form of advertising even harder.

Sorry about your girlfriend's account, that really sucks, I hope she can get it back soon.

login to reply

in reply to @Emptyeye's post:

Pinned Tags