In recent years, the rise of social media platforms and their widespread usage have significantly impacted various aspects of society, including communication, collaboration, and information sharing.
One such platform that has gained immense popularity is Discord, initially designed to provide a convenient platform for gamers to communicate with one another.
However, as its user base has expanded beyond gaming communities, concerns have arisen regarding its potential exploitation by cybercriminals who seek new avenues for illicit activities. The growing interest in Discord’s potential role as a breeding ground for cybercriminal activities stems from several factors that make it an attractive target.
Read on to explore the extent to which Discord serves as a playground for cybercriminals by examining its use in facilitating illegal activities and the inherent vulnerabilities within cryptocurrency exchanges that make them susceptible targets.
What is Discord?
Discord1 is a communication platform designed for gaming communities that have become increasingly popular among a wider audience. Discord is available as a desktop, mobile, and web app, making it easily accessible to users on all devices.
Initially designed as a voice and text chat application for gamers to communicate while playing online games, it now serves as a versatile platform for people from all over the world to connect through voice, video and text messaging.
With features such as customisable servers, channels, and groups that users can create or join based on their interests or affiliations, Discord has attracted 514 million registered users as of June 20232.
Despite these benefits offered by Discord, concerns have been raised about how this ease of access may be exploited by cybercriminals seeking new avenues to engage in illicit activities or prey on unsuspecting users.
How Is It Used by Cybercriminals?
Cybercriminal activity3 has found a thriving environment within the popular communication platform, where various malicious strategies are employed to compromise user security and exploit vulnerabilities.
These individuals can create servers or join existing ones to share hacking tools and resources, sell stolen data, communicate with other criminals without revealing their identity using Discord’s anonymity feature, and even coordinate large-scale cyber attacks.
Phishing attacks are among the most common, where attackers manipulate users into providing sensitive information like login credentials or clicking on malicious links. Custom account checkers or ‘cracking’ tools shared through Discord allow cybercriminals to verify the validity of stolen credentials on various platforms before selling them in bulk.
Fake sites disguised as legitimate services may also be promoted via Discord channels; these sites often contain phishing pages designed to steal users’ login information.
Threat Actors and Malicious Actors
Malware
Discord has been used in a campaign involving malicious spam emails4 with DHL or TNT themes and links to Discord URLs. They host AveMaria and AgentTesla malware and infect users’ machines upon execution.
Recently reported incidents also include a trojan called AnarchyGrabber5 that is spread on Discord as a game cheat or hacking tool, with the latest version being known as AnarchyGrabber3. The trojan modifies the Discord client’s JavaScript files to steal a victim’s Discord user token, allowing the attacker to log in to Discord as the victim.
The only way to remove AnarchyGrabber3 is to uninstall the Discord client and install it again.
Underground Forums & Compromised Accounts
Some threat groups still use Discord to host malware payloads6. Some groups leverage the content delivery network of Discord, while others use its webhooks feature. Cybercriminals also use Discord to share programs, media, play games and automate tasks.
Underground forums still play a role in cybercrimes on Discord, but they are becoming less popular as cybercriminals shift to more encrypted platforms like Telegram. Cybercriminals adjust their operations in response to security threats and scrutiny from the US government.
Discord’s adoption by cybercriminals may also benefit cybersecurity vendors in identifying TTPs in the formative stages.
Examples of Cyber Threats Posed by Discord Users
Sales of Stolen Credit Card Info
The sale of stolen credit card information7 includes email addresses, passwords, phone numbers, and home addresses.
Cybercriminals also offer tools for cracking accounts, such as OpenBullet, a software that automates hacking tactics like credential stuffing and brute force attacks, exploiting weak passwords.
The tool was released in May on the GitHub code platform and quickly proliferated as hackers modified it to make it easy to configure and deploy. Additionally, hackers are using Discord to sell counterfeit cash, with one server called “The Money House” offering to sell forged hundred-dollar bills. To avoid tracking, customers pay in Bitcoin.
Furthermore, some hackers use loyalty points from American Express, Hilton, and Delta accounts instead of stolen credit cards to avoid warning systems.
These loyalty points are sold on a “Nightmare Market” server, which was taken down in 2019 but reappeared on Discord. A server administrator provides instructions on how to cash out compromised accounts and even how to hack accounts oneself.
Fake Cryptocurrency Scams
Discord has also attracted scammers who target these users with fake cryptocurrency exchange schemes8.
The scammers send private messages to victims on Discord cryptocurrency servers that appear to come from a trading platform offering free Bitcoin or Ethereum. The message includes detailed instructions, a code for redeeming the gift, and a link to register on the exchange.
Once the victim clicks the link, they are taken to a site that looks like a legitimate cryptocurrency exchange, with an adaptive layout, trading charts, and technical support.
The victim is then asked to either make a small cryptocurrency deposit or complete a Know Your Customer (KYC) identity check. The scammers appear to collect a personal information database to sell on the dark web.
After registration, the victim attempts to activate the prize key, which appears to add Bitcoin or Ethereum to their account.
However, when they attempt to transfer the coins to their wallet, they encounter roadblocks. The scammers claim they need a top-up, typically 0.02 BTC or an equivalent amount in Ethereum or US dollars.
Safeguarding Your Organisation from Cybercrimes on Discord
Enable Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) adds an extra layer of security to your organisation’s Discord server by requiring users to authenticate their login using a second method, such as a mobile device.
Encourage all members of your organisation to enable 2FA on their Discord accounts and consider making it mandatory for users with administrative privileges.
Moderate User Roles and Permissions
Create roles with specific permissions and designate them to users based on their responsibilities within the organisation.
Limit the number of users with administrative privileges to minimise the risk of unauthorised access to sensitive information. Additionally, avoid giving permissions unnecessary for a user’s role, such as the ability to delete messages or manage server settings.
Monitor Server Activity
Regularly monitoring your organisation’s Discord server can help you detect any unusual activity that may indicate a security breach. Consider appointing trusted moderators to assist with monitoring and managing the server.
Utilise Discord’s built-in audit logs9 to track changes made within the server, such as role assignments and channel creations. In addition, consider using third-party moderation bots to automate specific tasks, such as detecting and removing spam or inappropriate content.
Educate Your Employees About Phishing Attacks On Discord
Train your organisation’s members about the risk of phishing attacks and how to identify potential scams. Remind users not to click on suspicious links, even if they appear from a trusted source, and report any phishing attempts to server administrators immediately.
We, at Grayscale, are committed to helping organisations protect themselves against cyber threats on Discord, as well as other online platforms.
Contact us today at enquiries@grayscale.my to learn more about our security solutions and how we can help you safeguard your organisation’s data, systems, and reputation.
