Skip to content

Instantly share code, notes, and snippets.

@linuswillner
Last active May 30, 2022 01:43
  • Star 21 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save linuswillner/d3f3187a5b412ef3785b3a8c2d143f83 to your computer and use it in GitHub Desktop.
Public service announcement from The Coding Den staff about social engineering being utilised as an attack vector for server takeovers

Today, on the 27th of March 2021, The Coding Den was subjected to a social engineering attack that lead to a brief hostile takeover of the server before the situation was brought under control by staff. We are sharing this statement as a public service announcement on the methodology used in the scam and possible remediations to prevent it, in order to help other staff teams avoid becoming victims of it.

Methodology

The attack proliferates as follows:

  1. The attacker will look for a staff member who is presently offline. This will ensure that it appears as if the staff member's account was globally banned and forcefully booted offline.
  2. It is within the attacker's interest to choose a target with the highest possible privileges (to do the maximum amount of damage), meaning that they will likely prefer administrators over moderators and so forth.
  3. The attacker will create a new Discord account with the same name and profile picture as the target.
  4. The attacker will approach a staff member, claiming that their main account got disabled for some (they may state which) terms of service or community guidelines violation. They may even post a screenshot of the login screen of them being allegedly unable to log in. However, one giveaway may be that, should they not know the victim's email address, they may obscure the email address from the image. See the below image and note how the email address is conveniently missing from the picture.

"disabled"

  1. The attacker may also try to imitate the speech patterns and vocabulary of the person they are impersonating to make the scam more convincing.
  2. Should the staff member fall for the attack and (re-)grant the attacker their privileges, the attacker now has free reign on the server and can do whatever they please.

Remediation

Here are some remediations for this attack as suggested by the community, including us. We will pin useful contributions from the comments in this thread here to give them added visibility.

@linuswillner:

We recommend that staff teams set up a reliable protocol for authenticating staff members who have lost access to their accounts. One of the more straightforward ways is to set up a chat channel on another platform (Examples include text messaging platforms like WhatsApp, Telegram, etc.) and require contact via that forum if a staff member loses access to their account on Discord. There are other options, too; the core requirement is that staff members need to be able to reach one another on a platform other than Discord.

Another option is to set up a secure authentication system that requires staff members to provide some sort of credential that is only known between them (as in the real person) and key members of the staff team. Asking the person to log in to an internal system and make some kind of benign change may for example be used for this.

@lemonsaurus (comment):

One thing you may want to consider is that these attacks are extremely time-critical for the attacker. If they impersonate someone and that person comes online, the whole thing falls apart.

For that reason, it's worth considering to delay taking any action that grants additional permissions until a certain amount of time has passed, even if you do believe this person to be who they say they are. If you wait 72 hours before taking action, chances are pretty good that the person who was offline might have come back online, unless they happen to be on vacation or something.

Even better is if senior staff in an organisation know each other's voices and faces, then a video call could be used for verification.

@itsHobbes (comment):

External communication is always useful, but equally vulnerable to loss of access. I would recommend some additional items:

1. Don't do anything without multiple levels of verification. - Ask them about topics of conversation in DMs and staff channels. Ask them to post on their social media, discord, email, github, etc.
2. Communicate with the rest of your staff team before doing anything. - The staff member that may or may not have lost their account might just be invisible and DMing another staff member. Someone else on the team may have private comms with the individual. There are many opportunities for others to have some idea of what is going on.
3. Don't rush - Losing access to your discord account for whatever reason isn't a reason to rush into things. The staff team should be able to moderate without an individual for some time, and that individual should be able to cope without their discord account while discord sort out whatever problem they have.

@HexF (comment):

Another way I could see verification is through the use of encryption technologies such as OpenPGP, and have a staff member digitally sign a message to prove they are who they say. This way an attacker has to effectively compromise a staff members system, and keylog the password for the key, making it incredibly difficult to do.

Author's note: While this is a very decent approach, and probably the most cryptographically secure one at that, it's probably quite a lot to ask from someone who isn't tech-savvy and already acquainted with the PGP keychain. It may work for communities where staff members fit the above description (like those centered around science and technology), but not all staff teams fit that description. Furthermore, it's probably the option that requires the most setup in the tech and procedure department here.

Conclusion

We wanted to share this public service announcement to alert other staff teams on Discord of this kind of attack spreading throughout the platform and how to identify the (admittedly few) warning signs. Should the attacker be allowed to gain Administrator permissions, for example, they can do significant damage to the server - including deleting channels, mass banning members, and so forth.

We hope this statement keeps other staff teams from falling for this same attack. Stay safe.

Signed,
The Coding Den staff

Written by:
Linus Willner
Co-Owner, The Coding Den

@greenbigfrog
Copy link

I don't think using visual and or voice checked via online is a valid way of verifying authenticity anymore. In person, sure, but that's not really what we're talking about here.

I'd like to emphasize the "No need to rush" part mentioned above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment