Don't Join Discord Servers!!!

kk · Jun 24, 2022, 1:50 AM

Some mushers got their discord accounts hacked. What happens is they click on a invite to join a severer and scan to verify they are human ad then this gives someone else the ability to log into their discord account and spam all their friends with servers.

So maybe too late!

But if you get requests to join servers, I wouldn't join right and def don't verify and scan any codes.

SixRegrets · Jun 24, 2022, 2:09 AM

This sort of uninformed fearmongering doesn't really help anyone.

Derp · Jun 24, 2022, 2:20 AM

@sixregrets said in Don't Join Discord Servers!!!:

This sort of uninformed fearmongering doesn't really help anyone.

"Uninformed fearmongering?"

It literally happened to a bunch of us today, so it's not "uninformed fearmongering."

Also remember what part of the forum you're in.

Macha · Jun 24, 2022, 3:46 AM

Happened to me and a bunch of people I play with across a bunch of different games. We all got invited to a "Baymax" server by people we knew in the hobby.

I looked at the 'verify' request and went' "Nope." Messaged my friend who invited me, telling him I wasn't doing that, and he was like "OMG I got hacked!"

And he wasn't alone.

faraday · Jun 24, 2022, 4:41 AM

Just to clarify - from what I've been told, it's not joining the discord that gets you hacked. It's a suspicious link that you get sent after/during the process that takes you to a fake website where - (this is the part where my reports got a little hazy) - you are asked to enter your discord credentials to "verify yourself".

So the moral of the story isn't 'don't join discord servers' - it's be wary of ANY link at ANY time asking you to enter credentials. Double check the URL, the lock icon, the source of the link, etc. to make sure that it truly is Discord asking for your Discord credentials.

Juniper · Jun 24, 2022, 5:06 AM

Phishing is nothing new. It's pointless to try to avoid every kind of phishing out there, since that would require you to not use internet banking, not open emails, not use a search engine. In fact, don't use the internet at all! Then you will be safe.

In all seriousness there are better life lessons this PSA could give. How about:

Double check the URL before you enter your credentials

OR

Anything whisking you off to another site for 'verification' is sus as hell

Not "don't join Discord servers". That is silly.

Derp · Jun 24, 2022, 5:10 AM

This all takes place inside the Discord app, which is the issue. There's no whisking off to other sites and such, which would be a fairly obvious red flag. It asks you to make use of tools that you otherwise use in Discord all the time, inside the Discord environment, so is fairly cleverly disguised.

faraday · Jun 24, 2022, 6:40 AM

@derp said in Don't Join Discord Servers!!!:

There's no whisking off to other sites and such, which would be a fairly obvious red flag

There kind of is, though, it's just subtle enough that it fools people.

Here's a good video explaining what's going on: https://www.youtube.com/watch?v=4JL8O-9IkcQ

Basically you get invited to a server (normal, no problem), but upon joining a bot asks you to scan a QR code (which is just a link in another form) to verify yourself. The QR code/link then takes you to a confirmation prompt/page that says "do you trust this?" The hack happens when you click "yes I trust this" because it gives the bot access to your login credentials.

So there are actually two red flags here: One is the QR code (again, essentially a link) from an untrusted source, and two is the "do you trust this" warning prompt from discord itself.

Now I realize that often these things come from a hacked friend's account, so you might not see it as an untrusted source. That's the nefarious part of so many phishing schemes. I'm not faulting people for falling victim. I'm just saying, "don't join discord servers" is the wrong message. "Don't use Discord's QR scanning login" might be a better one, or "be wary of scammers trying to phish you by inviting you to servers". But let's be clear about what the actual problem is.

Incidentally this isn't new. The exploit has existed ever since Discord added the 'login with QR code' feature.

gremlinsarevil · Jun 24, 2022, 1:16 PM

@juniper the message should really be more "Don't join random discord servers out of the blue."

At least the request i got was from a contact I hadn't spoken with in 2 years and we'd definitely never spoke about any shared interests in Baymax, so immediately phishy.

If a message or link seems weird but you trust the sender, try to confirm through a second mode of communication if you're able to. And otherwise just trust your gut about if a message seems like a phishing attempt because those things are rampant.

Arkandel · Jun 24, 2022, 1:42 PM

@gremlinsarevil said in Don't Join Discord Servers!!!:

@juniper the message should really be more "Don't join random discord servers out of the blue."

That's the catch, it wouldn't appear to be out of the blue. One of your existing contacts would be 'inviting' you to join them.

gremlinsarevil · Jun 24, 2022, 2:00 PM

@arkandel was anybody talking with friends about Baymax servers? It was just a message of 'hey, join my server!' And the link, but no lead up of what the server was about and why you would be interested?

Things can come from a friend that is still out of the blue.

faraday · Jun 24, 2022, 2:09 PM

@gremlinsarevil said in Don't Join Discord Servers!!!:

Things can come from a friend that is still out of the blue.

Yeah that's how most phishing attacks get you. It's a weird message from a trusted friend/coworker/contact with just an obscure: "Hey check this out!", usually without any context (or with minimal context like "It's hilarious")

You just gotta be paranoid. It sucks. It's hard. Scammers suck.

Arkandel · Jun 24, 2022, 2:27 PM

@faraday Yeah and that's the thing, too. Some of us do have friends who send weird messages, start playing new games, join different guilds etc... and from whom randomness like that wouldn't be completely out of place.

faraday · Jun 24, 2022, 4:03 PM

@arkandel said in Don't Join Discord Servers!!!:

@faraday Yeah and that's the thing, too. Some of us do have friends who send weird messages, start playing new games, join different guilds etc... and from whom randomness like that wouldn't be completely out of place.

I get that, but that's just indisputably risky behavior in this day and age of phishing scams.

Friends can help each other out by not just sending random "hey check this out" type messages, but instead providing context.

You can help yourself by turning on your "sus" radar even when the random link is from a friend. Examine the link to see where it's actually taking you (wary of typos or google.somewherelse.com type scams), double-check the lock icon in the browser and security certificate, be extra suspicious of anything asking you to provide login creds or click on a "trust me" popup.

There are no guarantees of course, but there are good practices.

ETA: I don't mean to trivialize, because this crap is hard. Scammers are expert at manipulating human behavior. Even security professionals fall victim. All we can do is take steps reduce our risk.