Posts

They tried to steal my Discord server

avatar of @keys-defender
25
Keys Defender
@keys-defender
·
0 views
·
6 min read



I want to share with you how my server was targeted by a malicious user, so that hopefully if something similar happens to you, you'll remember some of this and some bells will start ringing in your head.

  Yesterday among the tons of DM's that I receive every day in the Discord of the @cryptoshots.nft 3D game (play-to-earn Shooter on Hive), I got a request for advertising. It did not streak as odd at first; this happens once in a while since on https://play.crypto-shots.com we have a banner offering such a service:


And my guard was down because of the sleep deprivation.

The night before my kid decided that from 11pm to 3am was a good time to stay awake and play... and after that I had a ton of stuff to do.

So during the day I felt like..

 


The attacker approached me in this way:

  She (/he) started giving me some details and asking more questions.

But after a few minutes she changed her offer. She wanted me instead to publish the following text in my giveway channel:




PS. the scammer was still in their server. Now banned.



It sounded strange. But in my mind there was still a chance that it could have been legit since our 6K+ users would be a good audience for an NFT project (even though that one was on Ethereum).


















...and she offered $ 500 that seemed a reasonable price to me:

  In order to seem more trustworthy, they studied our Twitter/Discord and saw that we did quite a few collab giveaways with other projects. Sneaky sneaky.

But first she wanted to make sure my users were real...

I had no problem with showing some charts, since until not long ago I left this info public.

While I was retrieving this info, she strategically started "showing" the money..

I generated a new bitcoin address and shared it, to see where this was going.

5-10 minutes wait to make it look more legit..

She has deleted this message after being blocked but it sounded like "my boss is not sure about the legitimacy of your user base, could you please add this verification bot to your server?"

  Yeeh... sure. I turned on a secondary machine and spun up a temporary VM, visited the page and voila'.. attacker blocked in Discord and immediately reported.


This below is the MALICIOUS website.
DO NOT USE!! - PHISHING WEBSITE!!

By now it has now been reported by multiple people (including me) so it warns users that it's a dangerous domain. Hopefully they'll completely shut it down asap.

  It's well designed, at first it looks very similar to a real one:

DO NOT USE!! - PHISHING WEBSITE!!

  Once you click on the Login button it opens what to unexperienced eyes would look like a new window popup for discord.com:

  But it was not. What immediately gave it away was:

  • The slashes in the address bar were in the wrong direction! And if you clicked on the address bar nothing happened (ie. not a real input field).

  • There was no auto-fill for your email, if saved (simply because it was not discord.com)

  • I was using Brave but the icon showed Chrome

 

  • Only the close (X) button worked. The other 2 buttons in the top right corner of the fake window did nothing.

All the components of the fake window were web elements:

  And sneakily enough:

  • if you tried to drag the fake window around it worked as you would expect, it followed you around like if it was a separate window (good trick). But you could not drag it outside of its parent window, it was constricted inside the boundaries of the parent page. It was just html elements of the same webpage.

  • You could not right click to open the dev tools and explore its DOM/network calls.

  • The rest of the links on the page were take care of. If you clicked on them (eg. Register) they all worked and redirected you to the real Discord.

  • If you were on a smaller screen, it did not show the fake popup. No popup icon, no incorrect path and buttons. It showed it full page so you had fewer clues. But you were not on discord.com - that alone should be enough to scream danger!

  Well, so now you know how a phishing page looks like. Watch out!



NOTE: a couple of days before this event, we were invaded by a wave of bots from hacked Discord accounts. 300 users disappeared from our counters, and the phishing wave started. It could have indeed been the same attacker/group.



RECOMMENDATIONS

  IF YOU OWN A DISCORD SERVER:

  • Don't use on a daily basis your main Discord account that created it. Use a secondary account so that an attacker can never compromise the server owner (that has the highest priviliges).
  • Set up a spare Discord account for testing (roles, permissions, etc). You don't want private/sensitive conversation to accidentally go public. And, clearly, don't store passwords in private channels.
  • Have a test Discord server (stretch)
  • NEVER install a software/bot at request of someone you don't fully trust.
  • ENABLE. 2FA. In my case, even if they managed to get my email and password they would not have been able to access my server and do what they pleased with it. Simply because of the 2-factor authentication. Ah.. and do not use SMS's as you 2FA, they are not really safe.
  • Have your moderators enable 2FA!
  • Disable @everyone/@here tags for public channels (attackers love to tag all your users). Also make sure that they're not messing with you and sneaked into your server a user called "everyone" or "here". You may use that by mistake in your announcements and your users would not be notified.
  • Do your part and report spam/phishing accounts in a timely manner.

    Some of the safeguards that we have in place in the Crypto Shots server, and we recommend:

  • Custom bot that when a user with Discord xp below a certain threshold posts any (not whitelisted) link in popular channels, automatically deletes and warns the user about what is allowed and what not.
  • Custom bot that allows regular users to report spam simply replying to a comment with a "!review" command. The latter triggers a notification in a private channel and tags the mods so that they can intervene (ie. delete, ban).
Example:

  • Custom bot that immediately deletes spam based on keywords. It publishes the suspicious message in a private channel and tags the mods.

                      PS. now there seems to be a similar feature offered in Beta by Discord itself:

    FOR DISCORD USERS:

  • It is recommended that you disable DM's, so that only accounts that you added to your contacts can message you. Malicious bots can DM hundreds of users in a short amount of time.

To open the USER SETTINGS click on your logo and then on the edit button:

You can then find this option under Privacy & Safety: ![image.png](https://files.peakd.com/file/peakd-hive/keys-defender/Eo1wxLArBqB628zkmsxhKW6ZiB5Zfp78C6t6LTq4TpjJv7tsH1tYMRfkb4a4VQDExSj.png)
And pick your friends..

    GENERAL RECOMMENDATIONS:

  • Do NOT open links from people that you do not know.

  • Do NOT install software except from reputable sources (and still be vigilant).

  • If you come across something strange, Google it. For example in my case I immediately noticed that the bot I was asked to install had no main website..

  • Always hover on links to make sure the preview is exactly what it's supposed to be. (eg. https://www.google.com)

  • Check the address bar before entering any sensitive information in a webpage. Make sure you are logging in into the correct domain. Look for typos that give away that it's not the real domain!

  • Always stay vigilant, no matter how tired/distracted you are.

  Good luck, stay safe! @keys-defender

 

 

https://files.peakd.com/file/peakd-hive/cryptoshots.play/23vhWN3dWcoNBsrbJFum8RLbhxzgNuCrqfvtN4ZM5aD5fed1zq1JnxomMHan3wWH6xT7x.png

@keys-defender supports @cryptoshots.nft, play-to-earn 3D Shooter on Wax + Hive !!

Full launch on Hive on August 21st ! ( Starter pack and DOOM token 💥 ) Crypto Shots 1st Hive NFT  is already LIVE in the game!       👉