Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Public service announcement from The Coding Den staff about social engineering being utilised as an attack vector for server takeovers

Today, on the 27th of March 2021, The Coding Den was subjected to a social engineering attack that lead to a brief hostile takeover of the server before the situation was brought under control by staff. We are sharing this statement as a public service announcement on the methodology used in the scam and possible remediations to prevent it, in order to help other staff teams avoid becoming victims of it.

Methodology

The attack proliferates as follows:

  1. The attacker will look for a staff member who is presently offline. This will ensure that it appears as if the staff member's account was globally banned and forcefully booted offline.
  2. It is within the attacker's interest to choose a target with the highest possible privileges (to do the maximum amount of damage), meaning that they will likely prefer administrators over moderators and so forth.
  3. The attacker will create a new Discord account with the same name and profile picture as the target.
  4. The attacker will approach a staff member, claiming that their main account got disabled for some (they may state which) terms of service or community guidelines violation. They may even post a screenshot of the login screen of them being allegedly unable to log in. However, one giveaway may be that, should they not know the victim's email address, they may obscure the email address from the image. See the below image and note how the email address is conveniently missing from the picture.

"disabled"

  1. The attacker may also try to imitate the speech patterns and vocabulary of the person they are impersonating to make the scam more convincing.
  2. Should the staff member fall for the attack and (re-)grant the attacker their privileges, the attacker now has free reign on the server and can do whatever they please.

Remediation

Here are some remediations for this attack as suggested by the community, including us. We will pin useful contributions from the comments in this thread here to give them added visibility.

@linuswillner:

We recommend that staff teams set up a reliable protocol for authenticating staff members who have lost access to their accounts. One of the more straightforward ways is to set up a chat channel on another platform (Examples include text messaging platforms like WhatsApp, Telegram, etc.) and require contact via that forum if a staff member loses access to their account on Discord. There are other options, too; the core requirement is that staff members need to be able to reach one another on a platform other than Discord.

Another option is to set up a secure authentication system that requires staff members to provide some sort of credential that is only known between them (as in the real person) and key members of the staff team. Asking the person to log in to an internal system and make some kind of benign change may for example be used for this.

@lemonsaurus (comment):

One thing you may want to consider is that these attacks are extremely time-critical for the attacker. If they impersonate someone and that person comes online, the whole thing falls apart.

For that reason, it's worth considering to delay taking any action that grants additional permissions until a certain amount of time has passed, even if you do believe this person to be who they say they are. If you wait 72 hours before taking action, chances are pretty good that the person who was offline might have come back online, unless they happen to be on vacation or something.

Even better is if senior staff in an organisation know each other's voices and faces, then a video call could be used for verification.

@itsHobbes (comment):

External communication is always useful, but equally vulnerable to loss of access. I would recommend some additional items:

1. Don't do anything without multiple levels of verification. - Ask them about topics of conversation in DMs and staff channels. Ask them to post on their social media, discord, email, github, etc.
2. Communicate with the rest of your staff team before doing anything. - The staff member that may or may not have lost their account might just be invisible and DMing another staff member. Someone else on the team may have private comms with the individual. There are many opportunities for others to have some idea of what is going on.
3. Don't rush - Losing access to your discord account for whatever reason isn't a reason to rush into things. The staff team should be able to moderate without an individual for some time, and that individual should be able to cope without their discord account while discord sort out whatever problem they have.

@HexF (comment):

Another way I could see verification is through the use of encryption technologies such as OpenPGP, and have a staff member digitally sign a message to prove they are who they say. This way an attacker has to effectively compromise a staff members system, and keylog the password for the key, making it incredibly difficult to do.

Author's note: While this is a very decent approach, and probably the most cryptographically secure one at that, it's probably quite a lot to ask from someone who isn't tech-savvy and already acquainted with the PGP keychain. It may work for communities where staff members fit the above description (like those centered around science and technology), but not all staff teams fit that description. Furthermore, it's probably the option that requires the most setup in the tech and procedure department here.

Conclusion

We wanted to share this public service announcement to alert other staff teams on Discord of this kind of attack spreading throughout the platform and how to identify the (admittedly few) warning signs. Should the attacker be allowed to gain Administrator permissions, for example, they can do significant damage to the server - including deleting channels, mass banning members, and so forth.

We hope this statement keeps other staff teams from falling for this same attack. Stay safe.

Signed,
The Coding Den staff

Written by:
Linus Willner
Co-Owner, The Coding Den

@haykam821

This comment has been minimized.

Copy link

@haykam821 haykam821 commented Mar 27, 2021

Do we need to send phishing tests to Discord moderators now? This is disappointing.

@Pierce01

This comment has been minimized.

Copy link

@Pierce01 Pierce01 commented Mar 27, 2021

Do we need to send phishing tests to Discord moderators now? This is disappointing.

Not sure how that'll help, just sounds like it'll cause more issues. No one is perfect, and seeing how Linus took the time to write this statement, they understand what to expect and look for going forward.

@lemonsaurus

This comment has been minimized.

Copy link

@lemonsaurus lemonsaurus commented Mar 27, 2021

Thanks for doing this write-up, Linus. As the owner of another very large Discord community, this is something we've discussed among the senior staff and enacted policies about, but these write-ups help a lot in understanding if our policies are suitable or not.

One thing you may want to consider is that these attacks are extremely time-critical for the attacker. If they impersonate someone and that person comes online, the whole thing falls apart.

For that reason, it's worth considering to delay taking any action that grants additional permissions until a certain amount of time has passed, even if you do believe this person to be who they say they are. If you wait 72 hours before taking action, chances are pretty good that the person who was offline might have come back online, unless they happen to be on vacation or something.

Even better is if senior staff in an organisation know each other's voices and faces, then a video call could be used for verification.

@Sphexi

This comment has been minimized.

Copy link

@Sphexi Sphexi commented Mar 27, 2021

Appreciate the transparency and write-up, the more people are educated on something like this the less likely it is to succeed 👍

@pope-sucks

This comment has been minimized.

Copy link

@pope-sucks pope-sucks commented Mar 27, 2021

Thanks for the transparency, this is really interesting.

@javaarchive

This comment has been minimized.

Copy link

@javaarchive javaarchive commented Mar 28, 2021

Intresting, I actually thought of changing my username and pfp to match those of people who won giveaways on sketchy free nitro servers for fun.
In the future I feel like each staff member should have a secondary method of communications like email.

@eaaliprantis

This comment has been minimized.

Copy link

@eaaliprantis eaaliprantis commented Mar 28, 2021

Happened to a community that I was apart of. They obtained access through the bot, then elevated their permissions, and started to mass ban. The server had about 1k people and after the hostile event that occurred, it was down to 600 people (because they mass banned members).

The person who did it had no remorse and gave no **cks for doing it, all because of the person wanted revenge.

When you meet people online, fully get to know them and understand how they act, so on and so forth. Because you don't want to be crossed at all.

Trusting is always a two-way street. Communication is always needed to be successful. Seeing TPH being able to be transparent is key

@itsHobbes

This comment has been minimized.

Copy link

@itsHobbes itsHobbes commented Mar 28, 2021

We recommend that staff teams set up a reliable protocol for authenticating staff members who have lost access to their accounts. One of the more straightforward ways is to set up a chat channel on another platform (Examples include text messaging platforms like WhatsApp, Telegram, etc.) and require contact via that forum if a staff member loses access to their account on Discord. There are other options, too; the core requirement is that staff members need to be able to reach one another on a platform other than Discord.

External communication is always useful, but equally vulnerable to loss of access. We (at TPH) have had this same thing attempted on us yesterday. I said this in our staff chat but this is a more fleshed out version. I would recommend some additional items:
1. Don't do anything without multiple levels of verification. - Ask them about topics of conversation in DMs and staff channels. Ask them to post on their social media, discord, email, github, etc.
2. Communicate with the rest of your staff team before doing anything. - The staff member that may or may not have lost their account might just be invisible and DMing another staff member. Someone else on the team may have private comms with the individual. There are many opportunities for others to have some idea of what is going on.
3. Don't rush - Losing access to your discord account for whatever reason isn't a reason to rush into things. The staff team should be able to moderate without an individual for some time, and that individual should be able to cope without their discord account while discord sort out whatever problem they have.

@linuswillner

This comment has been minimized.

Copy link
Owner Author

@linuswillner linuswillner commented Mar 28, 2021

External communication is always useful, but equally vulnerable to loss of access. We (at TPH) have had this same thing attempted on us yesterday. I said this in our staff chat but this is a more fleshed out version. I would recommend some additional items:
1. Don't do anything without multiple levels of verification. - Ask them about topics of conversation in DMs and staff channels. Ask them to post on their social media, discord, email, github, etc.
2. Communicate with the rest of your staff team before doing anything. - The staff member that may or may not have lost their account might just be invisible and DMing another staff member. Someone else on the team may have private comms with the individual. There are many opportunities for others to have some idea of what is going on.
3. Don't rush - Losing access to your discord account for whatever reason isn't a reason to rush into things. The staff team should be able to moderate without an individual for some time, and that individual should be able to cope without their discord account while discord sort out whatever problem they have.

On the topic of loss of access, hence I put a method that one is unlikely to lose access to first and foremost in the list: Something that depends on your phone number. But I understand that might not be practical for everyone, so I noted alternatives as well. Regardless, you make a good point.

On the topic of time-sensitivity, this was brought up by another commenter as well and I’m actually planning to edit this Gist to add a proviso about how the attack is extremely time-critical and as such there should be a delay in privilege re-granting.

@HexF

This comment has been minimized.

Copy link

@HexF HexF commented Mar 28, 2021

Another way I could see verification is through the use of encryption technologies such as OpenPGP, and have a staff member digitally sign a message to prove they are who they say. This way an attacker has to effectively compromise a staff members system, and keylog the password for the key, making it incredibly difficult to do.

@linuswillner

This comment has been minimized.

Copy link
Owner Author

@linuswillner linuswillner commented Mar 28, 2021

Another way I could see verification is through the use of encryption technologies such as OpenPGP, and have a staff member digitally sign a message to prove they are who they say. This way an attacker has to effectively compromise a staff members system, and keylog the password for the key, making it incredibly difficult to do.

While a decent idea, this is probably quite a lot to ask from someone who isn't tech-savvy and already acquainted with the PGP keychain. It may work for communities (like those centred around science and technology) where staff members fit the above description, but not all staff teams fit that description.

All that being said, this is a viable alternative, so I'll add it to the Gist with a footnote about what I just said.

@passivedragon

This comment has been minimized.

Copy link

@passivedragon passivedragon commented Mar 29, 2021

The suggested solutions seem a bit overengineered to me, discord offers easy personal verification and has been for a good while, voice and video calls.
Staff should know each other to a level that enables effective cooperation and coordination, if that doesn't reach a level staff interacts via VC, then that may be that, but it is quick and effective, a no-tolerance policy about avoiding or skipping VC verification can serve as a pretty solid bar. To be noted as well, text and voice communication inherently differ for the vast majority of people, which makes it even easier to identify scamming.

@jamieatYGR

This comment has been minimized.

Copy link

@jamieatYGR jamieatYGR commented Mar 29, 2021

From the raiders myself, I've done this too 100s+ partnered servers / influencers, 3.5mil member count to be exact, but we have stopped. By leaking this method, your allowing other nukers to use this ( not as well as me :) ) and use it on other servers... Bare in mind theres over 2million servers on discord people can use it anywhere. Also, getting discord staff to threaten 15 year olds to involve a legal department over discord servers ( Edward ) doesn't help either.
Anyways, peace.

@Sphexi

This comment has been minimized.

Copy link

@Sphexi Sphexi commented Mar 29, 2021

By leaking this method, your allowing other nukers to use this ( not as well as me :) ) and use it on other servers.

Social engineering isn't new and it's not really a "method", nothing here is earth shattering at all. The benefits of documenting what happened and having an open discussion around potential methods to combat it far outweigh some people finding out that social engineering exists.

@macks2008

This comment has been minimized.

Copy link

@macks2008 macks2008 commented Mar 31, 2021

By leaking this method, your allowing other nukers to use this ( not as well as me :) ) and use it on other servers...

as @Sphexi said, there's nothing particularly new to this attack. Presumably the only reason it even worked was that Linus wasn't fully on guard to think about the authenticity of the attacker. (I.e., the same reason so many other social engineering attacks work.)
@linuswillner as I said in DM a few hours ago, thank you for the transparency and I don't hold it against you. Could have happened to anyone. Thanks also for the write up detailing what to look out for, as well. Although I don't think my personal server is currently vulnerable to this (due to size), that says nothing of the future and besides, stuff like this is always at the very least intellectually interesting to me.

@greenbigfrog

This comment has been minimized.

Copy link

@greenbigfrog greenbigfrog commented Apr 2, 2021

I don't think using visual and or voice checked via online is a valid way of verifying authenticity anymore. In person, sure, but that's not really what we're talking about here.

I'd like to emphasize the "No need to rush" part mentioned above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment