Cybercriminals are taking an old trick to newer places: Twitter and Discord.
Users of both platforms have been warned to be on the lookout for direct messages warning them that their account had been flagged for bad behavior, in the case of Twitter, or, in the case of Discord, that X-rated photographs of them have been uploaded to chat servers dedicated to shaming people.
In both instances, the scam is designed to harvest credentials by tricking marks into logging into what they think is Twitter or Discord to resolve the issue. The login details are then used by the crooks to compromise those accounts and contact others.
If you see a message like this, skip it. Log into the app or service directly and check for notifications there.
Back in the day, one of The Register‘s own vultures was on the receiving end of one of these scams: an email blackmailing the mark into paying a ransom to prevent the leak of an explicit, compromising video that didn’t actually exist.
Bleeping Computer, which documented the Twitter phishing campaign when one of its own writers was targeted, said the scam is focused on hoodwinking verified Twitter users, whose compromised accounts are used to lend an air of legitimacy to private messages to other marks, warning them that their profiles are being locked out for hate speech unless they log in to address the matter.
The tricky thing about this Twitter campaign is how complicated the attackers’ fake login pages can get. These phishing pages appear to be using Twitter’s APIs to grab users’ profile images and verify that passwords entered into the fake login page were correct.
The Twitter campaign closely mirrors a Facebook phishing campaign that circumvented two-factor authentication with similar phishing sites. It’s unknown if the two scams are related.
Discord users, on the other hand, are being lured to servers with names like Hall of Shame, Name & Shame, and Shame|Exposing|Packing|Arguments. When the invitation is clicked, users are prompted to scan a QR code linked to a bot that takes over the victim’s account before sending the same message to everyone in the hijacked account’s contact list.
Avoiding ‘this you?’ scams
People get phished – even those you expect to be on top of these sorts of things – so no-one should assume their level of technical expertise exempts them from risk.
MalwareBytes recommends not taking any social media messages too seriously. “If they’re providing login links tied to threats of suspension, you’re better off visiting the site and contacting support directly,” the biz’s Chris Boyd advised. Twitter users should also be sure they’re using two-factor authentication (2FA).
As for Discord users, staying safe requires a few more steps, said Boyd. He recommended all Discord users enable 2FA, and server administrators should make sure 2FA is required for admins server-wide.
In addition, Discord users should check their privacy settings under Safe Direct Messaging. Look for a box labeled “Keep Me Safe” and ensure it’s ticked, and set DM security to only allow direct messages from members of the same Discord server.
Netizens should also consider restricting who can send Discord friend requests, and report suspicious accounts to Discord as soon as they’re identified. ®
source: The Register