I get asked all the time if Discord is a safe platform, and I find myself unable to give an easy and decisive answer. I use Discord, and maintain and administer multiple Discord servers, and find it to be a great platform for my use cases. However, due to its ease of use, it has also attracted a ton of different bad actors of various varieties. Discord has used by gaming communities, social communities, and legitimate grassroots groups, however, Discord has also been used by extremists to organize, by predators and zoo sadists to post “dog whistles” and find fellow predators, and so on. Discord as a platform isn’t good or bad, but it provides the tools for anyone to start their own text/voice/video chat community. One thing’s for sure, Discord is popular and it’s here to stay – as such, it’s already being targeted by some innovative phishers.
I received this message from somebody on my friend list today. This is somebody that I know casually online and talk to occasionally. However, my friend didn’t send this message. Her account was compromised in a phishing scheme, and was used to distribute these messages to everyone on her friend list. Take a look:
Given my experience, I immediately knew that was likely an automated message sent compromised account. This friend and I simply talk on direct messages occasionally, and they’ve never invited me to a Discord server before. Certainly, if they wanted me to join, they’d send me a more personalized message than “watch general”, right? I was, however, curious as to where this particular rabbit hole led to. So against all practical advice, I did what I am directing all of you reading not to do, and I joined the server.
Upon joining, I was immediately greeted with what appeared to be an anti-bot verification prompt. A lot of Discord servers utilize CAPTCHA verification or other forms of protection in order to protect against raids and unauthorized bots. A short prompt and an invitation to click the “verify” button. That can’t possibly be malicious, right? Right? … Well, wrong.
Well, curiosity may have killed the cat, but I’m a wolf – so why not? I did what you shouldn’t do, and I clicked the verify button. If this were a valid verification system, I would have been directed to a website to complete a CAPTCHA, asked verification questions, or asked about why I wanted to join the server. Unfortunately, I was not asked to do any of these tasks. I was asked to scan a QR code. Why a QR code?
… Wait, doesn’t Discord have a system that allows you to login using QR codes? Doesn’t this login method also bypass two-factor authentication? It all makes sense now! This is a clever phishing attempt! It’s the new version of those emails claiming to be from your bank that aren’t really from your bank. Instead of directing you to a webpage to type your Discord credentials, the malicious actor only wishes for you to scan the QR code instead.
Users have been long trained against clicking links in suspicious emails, but a simple QR code seems innocent enough. Unfortunately, at the time of my investigation, there were a good number of users in the malicious server that likely fell prey to this attempt. The good news is, I reported my findings to Discord trust and safety at approximately 2:01 PM PST on the date of writing this post, action has been taken to shut down this specific malicious server. This, sadly, seems to be a common attack and more will pop up.
SO SAYS THE WOLF. THE OWLS ARE NOT WHAT THEY SEEM.