Skip to content

Instantly share code, notes, and snippets.

@nwunderly
Last active April 19, 2024 22:53
Show Gist options
  • Save nwunderly/c0820ce9c04c3078f57ae11a22992f77 to your computer and use it in GitHub Desktop.
Save nwunderly/c0820ce9c04c3078f57ae11a22992f77 to your computer and use it in GitHub Desktop.
Discord anti-scam blogs!

Good morning friends. As some of you might have seen, Discord released two new safety-related blog posts today! I'd highly recommend reading them both and sharing them with your communities. Wanted to give a little commentary on them as well, as someone familiar with these scams.

Protecting Against Scams on Discord

https://discord.com/blog/protecting-users-from-scams-on-discord

This is a blog acknowledging the recent surge in scams on Discord. Notably, it also mentions the FTC's report indicating an internet-wide surge in scams in 2021. It discusses general advice for both general users and for server admins and mods. It's a pretty good writeup, but it is missing some things.

"Why Would Someone Want Access to My Account?"

This section covers some of the reasons someone might want to take over your account, but misses some big stuff. So let's go through these one by one.

  • If you're owner/admin/mod, the scammers might want to damage your server or use your account to target members. This is usually done by the kids behind the malware attacks. It's not very common though, unless you're running a big/important server.
  • If you have unique badges the scammers might want the badges to flex. This is the most common motivation for the malware attacks. They'll keep accounts with badges to show off, or try to sell them off to someone.

So far, so good. They're missing two big ones, though.

  • Scammers like to target accounts with Nitro subscriptions, and if you have an attached credit card they'll use it to buy a large amount of Nitro codes to sell at a discount for profit. This is how the phishing scammers primarily make money.
  • If your account doesn't have anything "desirable", they'll often sell it to be used as a raid bot. Verified email/phone account tokens sell for more, people will buy them thousands at a time to use them to raid servers.

"However, if you have 2-Factor Authentication enabled on your account, the hacker will also be required to provide a 2FA code to change your password."

This is true, sorta. In-client you need to provide a 2FA code to change your password. But, you only need to provide your password to access your 2FA backup codes. This means that if someone has access to your account (through token) AND has your password, 2FA won't stop them from locking your out of your account. Discord is right that 2-factor authentication is important, but lately their blog posts (including their recent 2fa-related post) have been outright misleading about how safe it makes you.

Scams and What to Look Out For

https://discord.com/blog/common-scams-what-to-look-out-for

This is a follow-up article to Protecting Against Scams on Discord. It's a pretty good writeup, covers most different types of scams you're likely to see on Discord. No feedback here, but I'll give a TL;DR of the most serious scams to watch out for (the ones that can result in the loss of your account):

  • Phishing: Something like "free nitro!", "we're re-opening the moderator program!", etc. Presents a fake Discord (or sometimes another, like Steam) login page, and steals your account.
    • These can often MITM (man-in-the-middle) 2-factor authentication and the QR code, so using these is extra dangerous.
  • Malware: The classic "try my game!" scam. Scammer attempts to convince victim to run a "game" they've developed, but it's a malware executable that:
    • Pulls your Discord session token from the installation files, and sends that to the scammer.
    • Pulls your browser cookies and saved passwords, sends it to the scammer.
    • Injects a script into Discord and logs you out. If you log back in, it intercepts the email/password/2FA code you've entered and sends that to the scammer as well.

Remember:

  • Don't click links sent to you in DM!
    • If you do: don't enter your username/password/2fa into a site without first checking the URL bar.
  • Don't open/run files sent to you in DM!
    • If you do: don't log back in! If you change your password, it's best to do it on a different device to ensure your token is reset without being intercepted.
    • As with any malware, it's best to just fresh install your OS, but at the very least you should reinstall Discord completely and change all your passwords.
  • This includes DMs from friends!

That's all!

Remember, the best way to fight these scams online is to make people aware of how they work and how to recognize them! Stay safe, friends.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment