Discord is pretty much the communications platform for gamers these days. Text, voice, video, shared screens, specialized servers: Discord does it all. A side effect of that ubiquity, according to a report released earlier this month by Check Point Research (via TechRadar), is that Discord server invites are now an attack vector that online scumbags can use as part of phishing operations.
It’s worth noting right off the hop that Check Point said “Discord took swift action to disable the malicious bot” used in the campaign it discovered, “which helps disrupt the current infection chain.”
“However, the broader risk, that attackers could create new bots or adopt alternate delivery methods that leverage the same core techniques, still remains,” Check Point wrote.
That risk arises from a flaw in Discord’s invitation system—those links your click to access the server for your favorite new game or online pal. Check Point says hackers can hijack old or deleted invite links and redirect them to servers of their choosing; once there, newcomers are prompted to verify themselves, which is more or less in line with the standard operating procedure of joining a server for the first time—close enough that it may not raise immediate suspicion.
Users will then be prompted to authorize the verification bot, and this is where it starts to get hairy: The short version is that authorizing the bot starts an “authentication flow” that ultimately leads to a well-disguised phishing website that will leave you and your PC in a bad state if you do what it says. The full report has a detailed breakdown of how it all works, but essentially it’s a “multi-stage payload delivery,” which generally speaking is not a phrase you ever want to hear used in the context of “this happened to your PC.”
The threat isn’t just to gamers, although gamers are obviously the number-one target simply because they represent Discord’s dominant audience. The same report also claims there’s another campaign being operated by the same “threat actors” (ie, online scumbags) that “shares core characteristics” with the hijacked invite campaign but uses a different “initial infection vector”: Pirated DLC for The Sims 4. However, “the same loader framework is used,” Check Point wrote, “along with the Skuld Stealer and AsyncRAT payloads.”
“The selected payloads, specifically AsyncRAT and a customized variant of Skuld Stealer, indicate a financial motivation behind this attack. While Skuld targets credentials from multiple sources such as browsers and Discord, the campaign places particular emphasis on cryptocurrency wallets, notably Exodus and Atomic, by injecting malicious JavaScript that exfiltrates stolen wallet seed phrases and passwords via a dedicated Discord webhook.”
It’s also difficult to eradicate the problem once you’ve got it: “The persistent scheduled task regularly triggers the second-stage loader, ensuring continuous execution and persistence of AsyncRAT. Even if a victim discovers and removes the malware, AsyncRAT will be redownloaded and re-executed, enabling attackers to retain ongoing remote control over previously compromised systems.”
Now, look: I am not a security guy, nor am I especially smart. But I have been around computers and online systems for a very long time, and that’s instilled in me a healthy sense of paranoia that I think would do everyone some good when it comes to stuff like this. For one thing, not everything that says “click me” should be clicked: When in doubt, do a search and find a second source.
And when you encounter a screen like this:
Simply do not. Do not run anything if you don’t know what it is and where it came from, and by “know,” I mean, you know—and if you think you know, then you don’t know and it’s time to hit the brakes. The moment any website, I don’t care who it is, tells you to open a command prompt, you close the window and go outside for a minimum of 15 minutes. It’s a simple, straightforward rule, and I promise it will save you no end of grief.
(No warranty is promised or implied by that statement, for the record. But at least if you do run into grief, you can say that you were paying attention and made a legitimate, good-faith effort to stay out of trouble. And trust me, it will save you grief.)
I’ve reached out to Discord for comment and will update if I receive a reply.