- Report this article
Bob Yang, MSIM
Bob Yang, MSIM
Senior Fraud Analyst @ Tiktok
Published Jan 31, 2023
+ Follow
Happy (Lunar) New Year, everybody. This is a continuation of the Social Engineering series, focusing on how bad actors utilize varying techniques to phish information or hijack account credentials from unsuspecting users. We’re starting off with a slightly more technical example today.
Discord is a voice chat and messaging application that is gaining steam in recent years. Initially marketed towards video game fans, it has become a popular platform for communities in all sorts of fields and subjects. Like any self-respecting account-based social application, Discord offers 2 factor authentication (2FA) as a security measure, but a recent popular attack vector is able to completely bypass this.
Enter the Discord Token Grabber. This is a type of credential stealing malware that is able to sneak through 2FA, allowing attackers to wreak havoc on a victim’s account. Information stolen ranges from tokens, passwords, system information, IP address, key-logging, etc.
The standard vector is to trick an unaware user into clicking on a link, downloading a file or running an executable. Particularly clumsy attacks usually take the form of basic deception tactics such as “does this blurb I wrote look good to you?” or “can you take one minute to test this app I’ve been working on”. Attackers use the friends tab on hijacked accounts to look for victims to further phish. When it’s someone you recognize, the potential for a successful attack is exponentially more likely.
Recommended by LinkedIn
For the more vigilant users who operate on a strict zero-trust approach of never clicking links or downloading files, keep practicing your approach but be aware that the more proficient attackers have been utilizing Discord bots as a method to transport malware payloads. These are especially dangerous as they are written with cross-platform language, allowing them to infect different operating systems and they run right-out-of-the-box so no installation prompts need to be bypassed in order to function. What might look like an unassuming YouTube music player or a basic solitaire simulator could be a cover for credentials theft.
If you use Discord, absolutely turn on these settings in the “Privacy and Safety” tab.
It’s best to never interact with anyone you don’t know if they direct message you, and be wary of any Discord webhook or bot, even if it’s in a public server. For the more technical user who wish to host a bot, run it in a virtual machine environment first with a dummy account before hosting with your actual account. Lastly, absolutely do not enter credentials into any login form via a link, the website may be spoofed or there's a keylogger attached.
Like
Celebrate
Support
Love
Insightful
Funny
3
2 Comments
Annika Z.
Sr. IS Business Systems Analyst (Product Analyst) at Amgen
1y
- Report this comment
I'm surprised Discord allows so many bots. It seems like new ones are constantly appearing and getting used in thousands of servers.
1Reaction 2Reactions
See more comments
To view or add a comment, sign in
More articles by Bob Yang, MSIM
-
Why SSO is Better
See AlsoHow to get your Discord tokenMar 6, 2024
Why SSO is Better
This is a series that seeks to address misconceptions regarding information security. Today we’ll discuss single…
-
Feb 23, 2024
Common Payment Scams: PayPal, Venmo, Stripe & more
If there’s anything that my anti-fraud experience has taught me, it’s that a little caution goes a long way. While you…
2
-
Cassandra Syndrome - Why Companies Tend to Not Heed Warnings
Mar 4, 2023
Cassandra Syndrome - Why Companies Tend to Not Heed Warnings
In classical Greek mythology, there is a story regarding Cassandra, a priestess of Troy. In a moment of cruel irony…
9
1 Comment
-
Social Engineering - Robo-calls
Nov 30, 2022
Social Engineering - Robo-calls
Robocalls. The mere mention of this portmanteau elicits irritated feelings, and with good reason: the FCC estimates…
13
-
The Person you just added on LinkedIn might be Fake
Sep 20, 2022
The Person you just added on LinkedIn might be Fake
A recent trend amongst my colleagues is an uptick in connection requests from total strangers. While this is not out of…
12
3 Comments
See all articles
Sign in
Stay updated on your professional world
Sign in
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
New to LinkedIn? Join now
Insights from the community
- Game Development How can you protect against social engineering attacks in online games?
- Mobile Communications How can you secure your SMS messages from social engineering threats?
- Consumer Electronics How can you secure CE devices against social engineering attacks?
- Mobile Communications How can you design mobile apps that resist social engineering attacks?
- Security Awareness How can you identify goals and methods of social engineering attacks?
- Technical Support How can you identify a social engineering attack?
- Security Awareness How can you make your passwords strong enough to resist social engineering?
- Information Technology How do you protect against social engineering attacks?
- Information Systems What should you know about social engineering attacks?
- Consumer Electronics How can you design software for Consumer Electronics to resist social engineering attacks?
Others also viewed
- Social Engineering Mahmud Ibrahim kani 2y
- Social Engineering is a New Cybersecurity Threat to Modern Businesses Gleb Myrko 6y
- Social Engineering PR Teknologiia 7y
- What is Social Engineering? Kenneth May 3y
- The Art of Deception: Staying Safe from Social Engineering Attacks null NEU 1y
- Hire a Hacker Review | What is Social Engineering? DVIUS HACKER 1y
- How Hackers Use Triggers: Protect Yourself From Social Engineering Attacks Gaurav Vashisht 7mo
- Cyber criminals release hard to recognize social engineering scam. Stu Sjouwerman, SACP 8y
- It’s a Hack Jackie Knott 3y
Explore topics
- Sales
- Marketing
- IT Services
- Business Administration
- HR Management
- Engineering
- Soft Skills
- See All