SCAMSSECURITY

Why do official Discord accounts always get hacked? SlowMist reveals hacker traps

share
Why do official Discord accounts always get hacked? SlowMist reveals hacker traps

In recent years, the rapid development of blockchain technology has led to the emergence of many platforms. Among them, Discord has become an important communication platform for the cryptocurrency, NFT, and decentralized application (DApps) communities due to its flexible settings and multifunctionality. It attracts users to track airdrop information and early investment opportunities. However, with opportunities come risks. Some speculators use Discord for scams, employing social engineering and phishing attacks to steal users' funds and personal information, making Discord a platform where investment opportunities and potential risks coexist.

On September 4th, the cybersecurity team SlowMist founder retweeted a post regarding hackers enticing users to add malicious tags to their browsers and steal users' "Discord Token," which encrypts the Discord username and password generated when creating an account, allowing the user's account to be compromised.

As of 2024, Discord Token theft incidents have been on the rise. According to a report, Discord security incidents have increased by 140% in the past year, with Token theft being a primary concern. Another notable event involved hackers stealing private information through the Gnus.AI Discord channel and exploiting a coinage vulnerability, resulting in losses of $1.27 million.

Airdrop frenzy leads to trouble! Discord phishing attacks surge in six months, with over 90% of victims surprisingly being children under 18?

Common Discord Token Attack Methods:

  • Malware and Token Stealers: Malicious software like BlackPlague and Blitzed Grabber are designed to steal Discord Tokens. Once a Token is stolen, hackers can bypass password authentication and gain access to user accounts to perform malicious activities.
  • Server Penetration: Hackers gaining access to server administrator Tokens can cause widespread damage to servers, including changing settings, deleting channels, and banning members.
  • Webhook Abuse: Attackers exploit Discord's Webhook feature to remotely control and exfiltrate information, using these Webhooks to send malicious messages or steal sensitive information.
  • Third-Party Service Platform Data Breach: In August 2023, the third-party service Discord.io was breached, resulting in the personal information of approximately 760,000 users being exposed, further exacerbating Discord-related security risks.

This article references the concept of cybersecurity team SlowMist to explain Discord Token vulnerabilities and reveal how hackers use malicious bookmarks in browsers to steal users' Discord Tokens.

Phishing with Malicious Browser Bookmarks to Steal Discord Tokens

Fast forward to 2022, a Discord group related to the NFT project Wizard Pass was infiltrated by hackers, resulting in the theft of NFTs such as BAYC, Doodles, and Clone X.

(Original Source https://twitter.com/SerpentAU/status/1503232270219431941)

After the post, someone replied:

The reply mentioned: "A bookmark is a feature in a browser (like Google Chrome) that can contain JavaScript code. When a Discord user clicks on it, the malicious code runs on Discord, stealing the Token. Once the hacker obtains the Token, they can easily control the Discord account and permissions."

SlowMist's Breakdown of a Real Case

In the example below, the victim opened the Discord official website and clicked on a malicious bookmark "Hello, World!" which popped up a small window, showing the source as discord.com.

Browsers have a "same-origin policy" to prevent operations between different domains from affecting each other. However, bookmarks can bypass this restriction as they execute user-triggered JavaScript code, allowing malicious programs to run on discord.com, posing a threat to account security.
Upon clicking, vigilant readers may notice something suspicious about the URL.
Another tactic is to directly prompt users to drag the page to their bookmark bar (red box "Drag this to your bookmarked").
Dragging a link to the bookmark bar adds a bookmark. If the phishing message is enticing enough, users with low awareness may easily fall for it.

Implementing this functionality only requires creating an a tag. Below is an example code snippet:

Clicking the bookmark will execute like background code on a webpage, bypassing Content Security Policy.

Comparison Using Google and FireFox Browsers

Readers may wonder why when adding links like "javascript:" to the browser's bookmark bar, there is no alert. SlowMist compares Google Chrome and Firefox to address this.

Using Google as an example:

On the left, when dragging a normal URL to become a bookmark, the browser does not show any editing prompts.

Similarly, on the right, dragging a malicious URL does not prompt any alerts.

What about FireFox?

On the left, when dragging a normal URL, it behaves like Google Chrome and does not show any editing prompts.

Interestingly, on the right, when dragging a malicious URL, FireFox prompts a warning for user confirmation.

This indicates that FireFox has higher security in terms of adding bookmarks.

SlowMist demonstrates using Google Chrome, assuming the user is logged in to the web version of Discord and adds a malicious bookmark guided by a phishing website.

Clicking the bookmark triggers malicious code, and the user's Token and other personal information are sent to the hacker's channel via a Discord webhook.

Additional Attack Details that May Raise Questions

  • Why do victims fall for it so easily?
    From the above, it is clear that bookmarks can insert JavaScript code that can practically do anything, including obtaining information through Discord's webpackChunkdiscord_app frontend code module. However, detailed attack code will not be provided to prevent malicious behavior.
  • Why do attackers choose to use Discord webhooks to receive data?Using Discord's main domain in the webhook format like https://discord.com/api/webhooks/xxxxxx helps bypass issues like the same-origin policy. Readers can create a Discord webhook to test this themselves.
  • What can attackers do once they have the Token?
    Having the Token is equivalent to logging into a Discord account, allowing the attacker to perform any actions as if logged in, such as creating Discord webhook bots to post announcements or fake news for phishing attacks within channels.

Recommended Actions for Victims to Remediate

  1. Immediately reset the Discord account password.
  2. After resetting the password, log back into Discord and refresh the Token to invalidate the Token in the hacker's possession.
  3. Delete and replace existing webhook links as the old ones have been compromised.
  4. Enhance security awareness, check for suspicious bookmarks, and delete any malicious bookmarks added.

If readers are interested in SlowMist's approach to blockchain phishing scams and other cybersecurity issues and are technically inclined, they can refer to SlowMist's "Blockchain Dark Forest Selfguard Handbook."

We must remain vigilant and cautious when using or adding any code and links of unknown origins. While many extensions online may seem convenient and practical, bookmarks cannot intercept malicious behavior. Therefore, each manual execution should be approached with caution to avoid falling victim to hacker intrusions.