[SCAM ALERT 065] – Discord

SCAM ALERT-4

Discord is a free communications app that lets you share voice, video, and text chat with friends, game communities, and developers. It has hundreds of millions of users, making it one of the most popular ways to connect with people online.

During our PreCrime internet scout of November 16th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of Discord.

The Attack

Malicious domain
discord 1

dyne-verification.deedenio[.]click/login

Created on November 15, 2022
Identified by Bfore.Ai on November 16, 2022

Legitimate sitediscord2

discord[.]com


Why is this a threat ?

This malicious domain is an example of brand impersonation, where a threat actor impersonates a legitimate brand in order to steal sensitive information such as credentials and bank account numbers. In general, brands such as Apple, Netflix and DHL are popular targets for brand impersonation due to their trusted name as well as large and global customer base. Threat actors use various techniques in order to trick victims into believing the fake website is real. One such technique is typo squatting, wherein threat actors register a domain name that is similar to another organisation or brands own domain name. In many cases this includes exchanging a letter in the URL to something else, or adding another letter in the hopes that victims will not notice. An example of this could be, exannple.com, instead of example.com. Brand impersonation does not just lead to stolen credentials, but could also lead to theft of personal data and financial details, and/or result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor.

In this instance, threat actors are targeting Discord, an instant messaging social platform with over 300 million registered users, over 140 million monthly active users and more than 900 companies using Discord. With such a large customer base, threat actors are more likely to conduct a wide scale attack, targeting many individuals and companies at the same time in hopes that someone will fall for the scam.

The malicious domain leads users to a scam Discord login website where customers are asked to sign into their account using their email or phone number and password for Discord. The malicious domain works very similarly to the legitimate site, however, with small differences. First, the QR code that appears on the legitimate site allowing users to login with the Discord mobile app, never fully loads on the malicious site. Second, when clicking on register account, two links for Terms of Service and Privacy Policy appear as shown in the image below.

discord3

When clicking on the links on the malicious site, they lead the user to an error site (Cannot GET /privacy and Cannot GET /terms). You can see the difference with the legitimate domain in the images below.

Malicious site

malicious1discord malicious2discord
Legitimate site
legitimate1discord legitimate2discord

Entering your credentials into this site will give the threat actor access to the users private details. Once the credentials are stolen, they will likely be put for sale on dark web marketplaces, giving other threat actors access to individual user data and the ability to conduct further attacks. Some of these stolen credentials are likely to be work credentials, which would give threat actors access to a company’s internal network, leaving them vulnerable to financial loss, sensitive and confidential data leaking, as well as further cyber attacks such as ransomware. The attack path is illustrated below, detailing how a brand impersonation domain can lead to further attacks.

discord timeline
Threats to different groups:
  • With 130 million in revenue in 2020: a cyber incident of Discord could result in the loss of up towards 520.000 USD – 1.170.000 USD

  • Companies connected to Discord could run the risk of a data breach which as of 2022 could result in the loss of around 4,35 million USD.

  • If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand USD.

Identification and threat analysis
Threat Indicators
  • Newly registered site – November 15 2022

  • Malicious domain impersonating Discord asking users to validate their login credentials

  • Domain registered in Saint Kitts and Nevis

  • IP addresses engage in malicious behaviour

  • SSL certificate expires after three months

Every site on the internet is found using an IP address, which is ‘translated’ from the domain name that is typed in. In the graph below, we can see that the malicious domain resolves to three IP (Internet Protocol) addresses with over 2000 communicating files (a mix of .APK, .EXE, .PDF), many of them malicious (not all pictured). This shows that the IP address has previously hosted malware and been connected to other domains with malicious activity giving the IP address a low reputation that will most likely pose a risk to internet users who come across it by engaging in malicious behaviour.

virus total discordVirusTotal Graph

The Technical report below helps emphasise the difference between the malicious domain, and the legitimate domain from Discord. The legitimate domain is registered with CloudFlare, Inc. whereas the malicious domain is registered under Tucows Domains Inc. Additionally, the SSL certificate for the malicious domain expires after three months indicating malicious intent. Legitimate companies will more commonly ensure their certificate lasts at least 1 year. See further details below.

Technical Report

Domain

dyno-verification.deedenio[.]click/login

discord[.]com

Registrar

Tucows Domains Inc.

CloudFlare, Inc.

Registrant Organisation

1337 Services LLC

Data redacted

Registrant Country

Saint Kitts and Nevis

United States

Domain Creation and Expiration

2 days old

Created on 2022-11-15
Expires on 2023-11-15
Updated on 2022-11-15

8,046 days old

Created on 2000-11-06
Expires on 2025-11-06
Updated on 2021-09-28

Certificate

Issued by: Google Trust Services LLC

Issued to: *.deedenio.click

14-11-2022 -> 12-02-2023

Valid for 3 months

Issued by: Cloudflare, Inc.

Issued to: Cloudflare, Inc.

19-12-2022 -> 19-12-2023

Valid for 1 year

Name Servers

dolly.ns.cloudflare.com

sullivan.ns.cloudflare.com

gabe.ns.cloudflare.com

sima.ns.cloudflare.com

MX record

N/A

aspmx.l.google.com

aspmx2.googlemail.com

aspmx3.googlemail.com

alt1.aspmx.l.google.com

alt2.aspmx.l.google.com

Last seen active

17 November 2022

17 November 2022

IP address

104.21.93.67

Virginia, United States

AS13335 Cloudflare, Inc.

ISP: American Registry Internet Numbers

172.67.206.44, 72.64.80.1

Toronto, Canada

AS13335 Cloudflare, Inc.

ISP: Cloudflare, Inc.

162.159.128.233

California, United States

AS13335 Cloudflare, Inc.

ISP: Cloudflare, Inc.

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.