![]() ![]() First, attackers will create a story to set themselves up as a people you can trust, who will resolve your pressing issue, like unban your account on a Discord channel or elevate your community status. Deception TacticsĪttacker's main goal is to convince you in any way possible to reveal your account token, with the most likely approach being social engineering. Now that we know what the attackers are after, let's analyze the attack flow. When they manage to extract the master token from your account, it is game over and third parties can now freely access your account, bypassing both the login screen and any multi-factor authentication you may've set up. That single line of text, consisting of around 70 characters, is what the attackers are after. This token is the only key required to access your Discord account.įrom now on I will refer to that token as the master token, since it works like a master key for your Discord account. When you log in to your Discord account, either by entering your account credentials on the login screen, or by scanning a QR code with your Discord mobile app, Discord will send you your account token, in form of a string of data. I encourage you to contact me or at if you feel I missed anything or was mistaken. Please bear in mind that this post covers my personal point of view on how I feel the mitigations should be implemented and I am well aware that some of you may have much better ideas. ![]() In this post I will be explaining how the attacks work, what everyone can do to protect themselves and more importantly what Discord can do to mitigate such attacks. In recent weeks I thought the attackers are using some new reverse-proxy phishing techniques to hijack WebSocket sessions with similar tools to Evilginx, but in reality the hacks, I discovered, are much easier to execute than I anticipated. My focus is going to be purely on Discord account security, which should be of concern to everyone using Discord. They take over admin accounts in cryptocurrency-oriented communities to spread malware and launch further social engineering attacks. Hacking Discord accounts has suddenly become a very lucrative business for cybercriminals, who are going in for the kill, to make some easy money. Discord has somehow become a de facto official messenger application among the cryptocurrency community, with new channels oriented around NFTs, popping up like mushrooms. If this was your alt account and you are concerned about it, I suggest you just delete it.For the past couple of months, I've been hearing about increasing numbers of account takeover attacks in the Discord community. ![]() What this could of done is sent your token to the attacker or setup to intercept your network requests from discord (ie. That was pretty stupid if you did not understand the code. ![]() Another problem could be the code you might have pasted into console that gives you your token. I'm not great at malware or mischievous software, but to remove it, probably reinstall your OS like mentioned by bluewave41. If you ran the code locally on your computer then it could of downloaded scripts that remain on your computer that refresh every time your token changes. The simple fix is to stop running the code. Therefore, they constantly have access to your account. What must be happening here is that you keep putting your user token in the replit to run the code, and every time you run the code, it's sending your token to the attacker. NEVER trust any code asking for your user token that you don't understand. For it to work the user needs to understand what they've just done and the general Discord user will not be technical enough for this. That exact reason is why implementing a button to regenerate your token doesn't make sense. The reason mass DM clients work is because people don't realize they've just given their token away. Now you need to ask yourself: is someone who is dumb enough to scan a random QR code and ignore all the very obvious warning messages given to them smart enough to realize they gave their token away? You cannot (bar some crazy zero day exploit) get someone's token by simply sending them an image without any interaction. Now by image token grabber I have to assume you're referring to QR codes. If someone was to run an unknown malicious script they need to change their password which changes their token. There is no telling what this script may have done. First off, the console already has a very large clear warning deterring anyone from running an unknown script. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |