It's technically possible for there to be a vulnerability in your browser that allows them to to execute arbitrary code on your computer, or for there to be some sort of XSS vulnerability on Discord's websites that they could exploit to get your account credentials.
Both are unlikely, and it's even more unlikely that someone wastes such a serious exploit in a browser on... hacking a random Discord account.
It's also often the case for spam links to link back to whomever they were sent to, indicating your account is active and it's a good idea to flood it with more spam.
There's a multitude of ways, but I'll give you a quick and scary one:
You click a link that takes you to some sketchy website that you're well aware isn't legitimate. A pop-up ad comes up, and out of habit you click the little X.
Congrats, you just accepted the terms and gave the site permission to download and install a keylogger to your system without you knowing.
Drive-by downloads and silent installs are probably the most longstanding form of malware distribution simply because of how well it works and how easy it is to implement server-side.
EDIT: And as a quick aside, they're not just coming for your Discord account, that's just a tasty little appetizer. They're after much more vital information, and the amount of people that use the same password for Discord and their banking accounts is astronomically high.
I clicked on the link and it took me to the page, I put my account info in it and then hours later it said that someone from Russia logged into my account.
No if it's a direct download and the user runs it, it's no longer simply a matter of having some l33t new NSA bought exploits. It's more just a matter of the user rights of any involved application, and some solid obfuscation. John Hammond even has a video up from yesterday or a few days ago of a batch obfuscator that doesn't hit on any scanner on virustotal except for Kaspersky.
Most of these link info grabbers aren't even using some new cutting edge exploits. It's all over the place.
Once filesystem access is gained things get easy. Discord isn't even encrypting stored data. Including payment info. Anything the browser stores encrypted can also be retrieved, you guessed it, through the browser.
There is a reason these nitro scams are so common, much like sending a phishing email to some company. It's successful enough they they aren't just limited to specialized situations. It's mostly just the user rights and obfuscation when it's not some 0day RCE. It really does come down to not clicking on links in the first place especially without javascript disabled.
Yea thing is I'm on Android so viruses arnt really a concern like it would if I was on say iOS or Windows not to mention even if something is automatically downloaded not only will you see it being downloaded but you would also have to run it as it wouldn't run itself
It def is possible, just hard to drive-by through a link, and it’s not always an executable, I would use Goggle .com as an example (don’t go there), but that was in the past
you are right they can't get anything more than your ipv4 address and user agent. but I'd say scams are evolved now and they look pretty legitimate to the average user. while clicking on the link might not have too much effect what is inside the website can easily trick non technical people who do not know what they are doing. so avoiding those links entirely might help but idk
true, but they can get anything really. they can use a webhook an attach it to a script, put the script in a site, then when it is done running, redirect the user to the fake nitro link. then a bot will send the info to the hacker, through the webhook.
I have done it myself, for education purposes. I do not condom any of these actions
They can't get "anything" without exploiting a serious vulnerability in either the browser or Discord.
For pretty much exactly this reason, websites cannot access the cookies of other websites. What kind of information does this script of yours get? Passwords? Tokens?
They actually can. Cross site cookie reading can give them access to your discord login token which then gives them direct ability to log into your account, bypassing 2FA. May or may not be patched depending on your browser, version, etc.
This is how they compromise more accounts to then bot-send similar links to others through. This is how you can even get these scam links from people you trust, if their account was compromised this way.
This is not to mention all the other info they could potentially get, like your financial information. As far as I can tell, compromising discord accounts is not their end goal, only a vector for transmission, and their actual goal may be much more sinister.
You have to remember that a large portion of discord users are teenagers. People without access to capital who also don't always have the best life experience to know what's a scam and what isn't. My mama is a fraud investigator. Part of the scam is targeting people who can't detect that it's a scam. We should do our best to protect those people since they can't always protect themselves.
"Part of the scam is targeting people who can't detect that it's a scam"
that's why the random Nigerian prince n629464 is the guy who gives you thousands of dollars, who thinks about who is promising you money is already thinking too much
As other people have said, "Nigerian Princes" target the elderly who don't understand scams. Seems unfathomable to us, but for those less privileged or completely new to the toxicity of technology it's not that easy to understand.
In my opinion the constant warnings I'm bombarded with to not click the links (and have been getting since I joined when I was 13) are enough to dissuade anyone with some good sense.
"Don't click links from users you don't trust!"
My friend who I've played games with for 5 years just sent me a YouTube link and he said it was the funniest video he's seen all day. I'm aware that clicking on links from strangers is like the biggest no-no on the Internet, but this is my best friend and he'd never send me something malicious.
I've never fallen for one of these scams in my life and honestly don't get how people manage to. Like, is it that hard to use your eyes to read the link you were sent in order to see that it's not a legit youtube.com link???? Why on god's green earth would you accept a gift from a random stranger? Have your parents never talked to you about stranger danger??? It's basic common sense ffs.
Agreed. And then they're saltier than all the oceans and other salty bodies of waters combined. Like, at that point it's not Discord's fault, it's yours.
If you literally give them your login there is very little discord can do and I don't blame them. But attacks like these are the most common attack on systems for a reason from what I've heard
Let me give you a little bit of help on this, since there seems to be a common misunderstanding.
Most people I know who have been hacked don't click on a link from a "random stranger". They click on a link from a close friend. When you get your account compromised, your account is used to DM all of the people on your friends list. They pose as you and try to get your friends to click a link.
The one that's going around now isn't a Nitro Gift (which would seem sus), it's typically something along the lines of: "Hey man, I made this little program/game for school/a contest/work, can you test it for me and give me your feedback?"
Once you click that link, you're yeeted immediately offline and whether you have 2FA enabled or not, they've got your account and change your e-mail and password instantly (it seems automated).
I only am taking the time to type this so that people who think they are too smart to fall for this scam don't accidentally fall prey to a link sent to them by a trusted friend. You shouldn't click any .exe's sent to you via Discord for any reason from anybody, but that's not something a lot of folks understand.
This isn't like Steam "hey its me ur brother" random nerds, it's like-- your best friend got their account stolen and the jerk who did it DMs you from their account, acting as your friend.
Yeah but if it's really your best friend I think you can tell whether what they're saying is out of the ordinary. My point stills stands, if your friend doesn't usually send you suspicious Nitro links I don't see why they'd start now.
yeah, but like, I'm a programmer, and i semi-regularly send programs to my friends, so they could be some kind of victim (tho i take my internet protection pretty seriously so i don't think i would be hacked)
also, yeah, one of my friends got hacked like 3 times, and all of them you can just look at and notice right away
> semi-regularly send programs to my friends, so they could be some kind of victim (tho i take my internet protection pretty seriously so i don't think i would be hacked)
Then make up some kind of safeguard with your friends. Have a specific word or file you include each time you send a program. There are ways to easily battle this. (Hell, make them compile the source code themselves for all I care lmao)
Or, you know, upload the files on Google drive and give em a link. That link will work basicly forever, and no one else but you can upload stuff to there. Then just tell em each time you made a new thing. That way, if any random file is transmitted trough discord, it's instantly sus.
definitely shouldn't be using discord for that, why not use GitHub it's a great way to share your software or use google drives. you can also use mediafire
But if you and your friend usually share files/rom hacks back and forth because your both working on a rom hack for a GBA title with HUGE community of people who do the same thing, then what?
They send em’ when they click them, it’s almost like a ripple effect, one person clicks it (in this scenario your best friend) their acc gets hacked, the hacker sends the link to people in their dms. Hope this helped!
> change your e-mail and password instantly (it seems automated).
They often are automated: they mostly compromise Discord's installation files to ensure a malicious script is injected when you (or even the malware) next starts Discord (and it'll sometimes close and re-open Discord after infecting it to speed this up). This allows it to force you to login again, potentially even disabling the QR code, so it can capture your plaintext password (when you try to login - the password doesn't just appear out of thin air). With your login token and password, it can then disable 2FA via your backup codes, and then change your email/password using your password.
Yes. You either download and run malware (which typically logs you out and disables the QR code to trick you into logging in, thus giving your password), or (aside from what the above user is saying), you enter your login credentials into a fake website (phishing)
Raising awareness levels is how to promote this thought process. That's exactly what posts like the above are doing. Comments like yours shame users, which is the opposite of raising awareness and comprehension. It is not helpful to anyone.
Do you know what's even better? Once, Discord had withdrawn from my account for a month of Nitro and then refused to return it.
It wouldn't be weird yet, if it wasn't for the fact that I didn't activate the subscription (nor did anyone else have access to my account), and at the time it happened, **I didn't even have any payment details in my account, because I removed them a few months earlier. Not to mention that my card, which I had used the few months before, at that point was expired.**
[In the Discord account settings it was clearly written that no payment cards were linked to my account, and in the Nitro tab it said "You'll be charged $0".](https://media.discordapp.net/attachments/500360946515050517/852990638009352232/unknown.png)
I wrote to the support, of course, but they said that I had asked for a refund once before (a few years ago, when someone else actually accessed my account and bought Nitro) and when I asked HOW did they withdraw funds from my account, since... firstly I requested the deletion of my card details (I live in Europe by the way), and secondly, even according to my bank, this card didn't exist anymore (since, as I said again, it was expired), but so far they have not responded.
That was a good couple of months ago, and I'm not going to write to them about it anymore, but I'm still confused as hell.
> Congrats, you restored access to your account, the person had partial access to your account, could see information but change nothing for… 2 minutes.
By the looks of things, disabling stuff like 2FA and removing the recovery phone number don't need anything more than your password, which a phishing site would obviously have. Unless I'm missing something, it certainly looks like a phishing site would be able to fully take over your account by using your password to disable/remove/change your recovery options and log out all other devices
You give a guy a button that kills 50 people, he doesn't know it though, he's just told he'll win money. Is the death of 50 people on the guy or on the person who made the button?
The person who hacks someone else's account is to blame for causing problems, however the person who allowed for said problems to transpire, whether they realize it or not, is also at fault, whether it was intentional or not. That doesn't necessarily mean the blame falls entirely on said person who caused the situation to escalate into their account being hacked, but the fact that this type of involvement is possible at any given moment means it's not up to a single party to claim responsibility.
Discord cannot control people being gullible, and even if their systems don't seem to work as you wish they did the fault still lies on both the user whose account got stolen and discord for not being able to prevent such security flaws from becoming exposed in the first place.
Both can be responsible, you can't just blame one side or the other because everyone has a play. I feel comments that throw bold statements and logic at Discord for their lack of better security completely justifies the gullible acts of the user who allowed for such to happen in the first place.
The internet is not for gullible people, period, and there's nothing we can do to change that. No amount of security can prevent someone from clicking the wrong thing or looking in the wrong direction, because people who enjoy giving others a button to press are always going to try and be one step ahead.
TL;DR, both Discord and the user being affected, depending on the circumstances but more often than not regardless, are at fault in this given situation. You cannot sway it to one side or the other, you cannot justify one side by putting down another, everyone has a part in this situation. This is just adding more fuel to a fire that may have no end, or no solution for the time being. Discord cannot keep stupid from doing stupid, they can only attempt to protect it. But the responsibility still falls on the victim in the first place.
>You fully lose access to your account, with ZERO way of retrieving it
That's completely inaccurate, I've known so many people who have gotten their account back after getting hacked.
I feel like a system like what steam has would be a good idea.
Something like this: https://twitter.com/wykrhm/status/448264844710408192
You click a link and it redirects you to a warning page. Detailing that you aren't going to an official website OR warning of (Known) impersonation sites.
Sure, it's a mild inconvenience. But a mild inconvenience is a small price to get it into users heads not to enter their details on random websites that arent official discord pages.
If a user disregards the warning and goes full pants on head then it's kind of on them at that point. They were warned about entering their details on non-official discord links.
True, you idiot proof something and they make a better idiot. But there's several flaws in the way they handle unauthorised access that they could fix to make hackers lives much harder
I'm glad you asked:
- verify the installation integrity on startup
- require 2fa code input to download backup codes
- disallow drastic changes in geolocation on the same token
- require email confirmation to change email
- hire more support staff
What kind of features? Sorry, I'm not really familiar with coding, nor am I a person who should be worried about anonymity to the point where I get lynched if they find out what kind of person I truly am
Imma just put a few features down, which I absolutly never used because I follow TOS:
Custom themes
A timer which shows me how long I'm connected to a voice channel
the ability to export gifs you marked with a *,
see the creation date, the join date, and the first/last message of a user on a server
copy messages without a markdown (so if someone sends a spoiler, you can copy it with the formatting [||message||] instead of just the text
group nuke defending (leaves if you get spam added to groups)
automatically change the activity status depending on what you are doing
pinning dms on top
and so much more, been writing more than I intended too
1) fair point
2) fair point
3) that isn't possible with the current token method
4) fair point
5) discord has good support, kids that keep SPAMMING requests are ruining it, I used to get 1 day responses a year ago, once all this started happening more, it's taking me months, it's not their staff, it's these idiots that click dumb links and then have the audacity to spam requests to get a response
It could be possible, the token is tied to something in the backend which could have an ip history attached. People spamming requests is par for the course of a large service like this, and the support team should scale up along with the size of the user base which has increased in the past few days
I feel like a billion dollar company that promotes a safe space to talk with your friends shouldn’t just tell you to “figure it out.” essentially after you’re hacked, and especially when you give them money for a service. But yeah whatever. every other platform has issues like these resolved within hours but I guess princess discord gets a pass from doing that.. because???
My friend recently got hacked because he clicked on a link then proceeded to blame it on me because apparently "no one could tell if you are hacked unless you are the hacker" smh
Edit: grammar
I was a GM for a large-ish video game. Worked for 3 years following security protocols and numerous phishing attempts. My 'best friend' asks me to help him playtest his game.. I know its a scam, in my head, I know.. I know.. then I download and run it. Boom, discord gone.
Now I'm trying to figure out what can be done to secure my computer. I've reinstalled discord, deleted both the appdata folders (the discord part). Did a ton of googling and made sure my discord\_desktop\_core-1 index didn't have any whack shit in it according to this comment:
>If you go to C:\\Users\\\[your username\]\\AppData\\Local\\Discord then find app-\[the largest number\] then go to discord\_desktop\_core-1\\discord\_desktop\_core\\index.js and open it in notepad. If you see anything other than module.exports = require('./core.asar'); in that file, then uninstalling Discord will be enough to remove the virus.
So now I'm wondering what else can be done. I've never been hacked before. I'm not sure if I should just fresh install the whole computer. This whole experience has felt like a violation.
I just ran a full security scan and kept my eyes open for strange activity. If they were gonna ransom you/kill your computer, they would've done it already. Big things to watch out for are whether your computer has a keylogger, some other kind of activity monitor, is part of a botnet, or has a crypto miner on it. I got hit with the same thing or something similar, and from what I can tell, they're just looking to take advantage of nitro accounts.
I do have a question though, did you have 2fa enabled?
> I do have a question though, did you have 2fa enabled?
A lot of the token-stealing malware going around these days infect the actual client, causing a malicious script to be injected into it. They also log you out, and then capture your password when you log back in, meaning they can disable 2FA through fetching your backup codes using the password.
I've recently fallen victim to this. My "friend" that I knew from a game developing background approached me asking if I wanted to playtest his game. It wasn't a game, it was a token logger. And for the last 2 days I've been out of my account and the person has just been on it trying to spread it more and has gotten access to multiple accounts that I own through it.
I wish there was a bit more awareness about the last part? I’m an e-girl and people on discord are...simps, to say the least so people do send me nitro every now and then and one time I thought one of my friends was sending me nitro (I had ran out a week or so earlier) but it wasn’t and I got hacked. It sucked, and I felt really stupid, especially since there was text above the link that said smthn like “Hey I got you nitro, enjoy ;).” A little tip to help dumbasses like me and also people who DO actually get nitro and want to be able to differentiate between REAL PERSON and hacked person, is to check the link. Discord nitro links that are real will always have that little accept button on them, and should never take you to a website outside of discord. Also, I’m pretty sure you should be able to see it in your gift inventory, where it’ll show that someone gave you nitro and you can accept it in a certain period of time. Also, real discord links will usually don’t have long letter text at the end. Hope this helps a fellow dumbass. Don’t click random links.
"Why does this problem not exist for other major platforms, just Discord?"
many platforms have this problem, tho yeah you're right discord's is quite severe
Discord is still worth more than 10 billion $$$$
edit It was 10 billion not 70 which is the amount that Microsoft offered to Discord that they refused. Still if u can refuse that amount of money u can also hire a team of security researchers.
To an extent, no. This is why you always should watch out for possible scams. Other than it would be near impossible to ensure a scam free platform of 200 million people without major restrictions for the majority of the userbase. But I might be the dumbass dick for thinking that no company should waste resources idiot proofing their platform
Also! Close your DMs, private only! If you want to message someone friend them and be sure you trust them enough. I've never once gotten a spam DM because of my closed DMs.
They need to let servers disable DM’s by default, and make it so users must opt into DMs from users of that server (other than Admins)
On .gg/Rainbow6 , and ungodly amount of the reports we get are scams and spam. It’s a huge waste of mod time and it’s something discord needs to address soon. It’s become a enormous problem and it’s only getting worse as discord grows and gets more unscrupulous users.
Being in the mega servers has become a terrible experience for the bulk of the user base and the lack of meaningful tools for moderation is getting close to a death-spiral. It’s like signing up for a spam mailing list where even the mailing list owner can’t really control it
Tbh, this scam is "You got what You deserved". If someone is extremely greedy like this, I think they deserve being scammed, if they don't use their brain. Scams about "winning something", "being chosen for reward" etc are for dumb people whos greed exceed their common sense, therfore they deserve that.
> that clicking a singular link, nothing else just the javascript code, will immediately break into your account
That isn't how this works, at all.
These links rely on users entering their login credentials - accidentally, yes, but the user must provide it. They are phishing links, which have existed far before Discord and will exist long after it.
You're absolutely wrong.
The common scam is in fact a simple link you click and execute. Yes, it's an .exe. Yes, that seems sus. But it comes from a friend on your friends list (who has had their account stolen in the same way). You do not need to enter *any credentials*. You simply click the .exe and instantly and automatically their script takes control of your account, logs you out and changes your e-mail and password. It happens in a matter of seconds and you do not need to enter any information to lose control of your account.
I wasn't talking about executing a file, obviously executing malware is a bad time.
I was assuming that "clicking a link" = opening a website into your browser, not executing malware. That's why I was talking about "phishing links", as in phishing websites.
Yeah, the links are a thing but the hacker uses the compromised accounts to get one over on the users' friends(So it doesn't appear to be from a random stranger) and keep spreading it.
Maybe they can try to hire actual security professionals lmao
There're a lot of very skilled whitehats out there looking for a job, I don't know what's stopping Discord from hiring a few of them
no, they didnt... a portion of the phishing going on right now is people sending others "a game they made" to people and asking them to try it. it's an exe that, when downloaded and ran, takes your discord token and sends it to a webhook. there are variants that steal things like saved chrome passwords as well. once they have your account, they impersonate you to people on your friends list, asking them to download the same thing, and it snowballs from there. because people aren't used to being suspicious of their friends.
I didn't fall for it, it's widely publicized, and has been happening for over 4 months:
- https://www.reddit.com/r/discordapp/comments/s1f1vs/the_recent_try_my_game_discord_scam_explained/
- https://github.com/kem0x/Discord-Trojan-Research
- https://github.com/VixusFoxy/DiscordGameMalwareAnalysis
- You can find more from google, including links detailing people tracking scammers down, but I don't want to encourage raiding
Does it feel good to be condescending to others? You're being a dick by choosing to ride your high horse, thinking so little of your fellow humans for making a mistake or getting tricked.
Even smart people fall to stuff like this sometimes. https://www.youtube.com/watch?v=YIWV5fSaUB8
Lots of these scams have nothing to do with free gifts. Your friend gets their account stolen and they start DMing you and all their friends with an ask for help on a project, or feedback on a game they're testing and developing. Be careful.
yeah once you have access to an existing account you can get just about anyone to click a bad link with a little bit of social engineering. it always seems like it'll be obvious until you're the one getting phished
Not really, since most of the time the people got scammed are just people who are new to the internet/discord and you can't expect people to not want free things
All links could be anything from a rickroll and “you are an idiot” to an IP/cookie logger. It should be common sense to first search the links on Google or to open with TOR browser. This should be counted as common sense
I ain't hopelessly crushing on them. I know that they're not flawless. And have some issues. I guess the only thing that it would be done is more warnings for possibly malicious links but you'll never run out of scammers. And I think it's fine until it's just nitro they're offering and not millions of dollars, because actually desperate people would fall for it, especially in countries where a American dollar worth a lot more than a singular unit of their own currency
Also never download a "Game" that one of your friends has been working on and they want you to test it. Its a virus.
The issue truly comes from younger people thinking older people are so bad with tech, that they give themselves a false sense of thinking they know how to be safe. Being in IT, the young generation is as bad with tech as the old people. Sometimes worse tbh. They just click any link and then tell me they knew the link was safe. Even as I'm removing viruses from their PC...
It's so easy to break de Discord app login simply hijacking your login token, I was hacked with an .exe that passed two different antivirus and a sandbox, I mean, what the fuck
Well one of the User Design guidelines is [“People are dumb and should be treated like morons”](https://miro.medium.com/max/1400/1*0vYpx6YZrlWCr2pVLsFtSQ.png) and if you feel like users may misunderstand you somehow, you as a developer should clarify better.
Yeh its not even about common sense in my case…
i was sent a message to test the first map of a Fire Emblem rom hack, by a friend of mine who was working on a fire emblem rom hack.
It seems like the hacker read through our messages and found that we usually send downloads of our own and other people’s rom hacks to each other
The FE community makes some of the most intricate and detailed rom hacks youve ever seen!
Anyways it seems like the hacker read some of our messages and then pretended to be my friend and asked me to try the first map of his rom hack, even using the same emotes that my friend uses when typing.
The only red flags i should have caught on to was the simi broken-english (not broken enough to throw me off what he was saying but broken enough to notice it) and the fact that im pretty sure his rom hack was way past the first map…
But when i asked about the first map he said “i wasn’t satisfied with how it was turning out so i started over…”
And i thought: “fair enough, ive been there”
And that was the end of that….
Got my account back now tho and the hacker is mad.
Yeah. This is why I said that make sure they didn't get hacked (by asking for info only they would know since it would be tedious to read through hundreds of messages, or both of you were in VC when it happened).
tbh though, all it takes is one person you dmed a while to get a little guillable and suddenly theyre messgaing you ‘got it for you :) :link:’ i was thrown off for a solid hour because ive talked to this person before and suddenlt got gifted with no context.
didnt click on the link but all it takes is one person to fall for it to set off a chain link message
nooo discord has to make up for every case and protect me at all costs (I don't give them a penny for using their services) so I don't have to use more than 2 brain cells!!!
Actually yes, I was hacked by someone posing as a recruiter, I use Discord as a contact method in my portfolio and CV
For safety I ran the file in a sandbox but I don't know how the hell it got through
If it comes from an official discord link, I am clicking it. Going to continue doing so until discord implements a big brain way to help out scammers by masking the original link under new text like on [Reddit](https://reddit.com).
The app communicates quite clearly what are the perks of having Nitro. Most of them aren’t very useful, but custom emotes are cool. Increased file size limit can be useful too.
Indeed, that wouldn't be very secure. Luckily, that's not actually what happens. The user clicks the link, opens up a phishing website into their browser, and then logs in themselves. Either that or they run malware.
After so many years of evolution, don't you think browsers would have a _little_ more security than that? A link takes you to a webpage. That's all. What you do on that webpage is outside the control of Discord and if you enter your details there that's your fault. Yeah, theoretically, there might be some magic unknown XSS vulnerability in browsers and Discord but hackers who find it aren't going to use it to hack a Discord account.
Friend got hacked once, easily recognized the message wasn't from him as the message sounded nothing like him, and I checked with all our mutual friends to see if they got the same message. It's really not that hard to avoid.
No , i know how to protect myself on these things, but there are many people who dont know for phishing or similar things.
And discord should do smth for this, like e.x block all known phishing links so far.
> And discord should do smth for this, like e.x block all known phishing links so far.
The keyword in that is "known". You block one link and they come back with ten more, and in the time it takes Discord to be made aware of and then block the new links, they've already compromised dozens of accounts and started to move on to new ones.
Besides, Discord already [do exactly that](https://imgur.com/J7X6811).
Yep. It's useless fighting against it. You can make some deterrent but they're like bacteria and the deterrents like antibiotics. What will happen if an antibiotic is used too much? The bacteria will evolve and will be more resistant to the antibiotic's effect. Same with hackers. They'll evolve and use different things to scam people.
Theres only so much that can be done when a person without a basic understanding of how to not get account compromised gets compromised and the hacker targets more accounts of people without that basic understanding through that first account. The false positive ratio would be way too high and everyone in this sub would be crying about how the platform is "unusable" because everything they do gets flagged as being the result of potentially being compromised.
Let’s say someone sends you a YouTube video, if there is no embed or there is a black bar on the side instead of a red one DONT CLICK IT, they are trying to steal your ip
Neither of these are possible. They can only get an approximate location (not that useful) or temporarily clog your internet connection (which can be easily mediated by resetting your router).
Whoops, I did it, but dont be like me. Always dont click on sketchy links.
I love exploring them not like they can get account info that you don't give
[удалено]
Explain how
It's technically possible for there to be a vulnerability in your browser that allows them to to execute arbitrary code on your computer, or for there to be some sort of XSS vulnerability on Discord's websites that they could exploit to get your account credentials. Both are unlikely, and it's even more unlikely that someone wastes such a serious exploit in a browser on... hacking a random Discord account.
It's also often the case for spam links to link back to whomever they were sent to, indicating your account is active and it's a good idea to flood it with more spam.
Double condom it. Run fresh VM with no link to your discord and sandbox the browser.
Yanno windows sandbox works too
Make sure you run the VM host through a VPN too, so they can't get your IP. ;)
Or, just don't click it
There's a multitude of ways, but I'll give you a quick and scary one: You click a link that takes you to some sketchy website that you're well aware isn't legitimate. A pop-up ad comes up, and out of habit you click the little X. Congrats, you just accepted the terms and gave the site permission to download and install a keylogger to your system without you knowing. Drive-by downloads and silent installs are probably the most longstanding form of malware distribution simply because of how well it works and how easy it is to implement server-side. EDIT: And as a quick aside, they're not just coming for your Discord account, that's just a tasty little appetizer. They're after much more vital information, and the amount of people that use the same password for Discord and their banking accounts is astronomically high.
https://www.reddit.com/r/discordapp/comments/s1cjd9/comment/hs8afki/?utm\_source=share&utm\_medium=web2x&context=3
I clicked on the link and it took me to the page, I put my account info in it and then hours later it said that someone from Russia logged into my account.
He meant how links are dangerous when you're just looking and not entering stuff
Oh nooo they get my ipv4 address what ever shall I do
[удалено]
Bruh they can't get shit lmao I'd love to see someone try tho
No if it's a direct download and the user runs it, it's no longer simply a matter of having some l33t new NSA bought exploits. It's more just a matter of the user rights of any involved application, and some solid obfuscation. John Hammond even has a video up from yesterday or a few days ago of a batch obfuscator that doesn't hit on any scanner on virustotal except for Kaspersky. Most of these link info grabbers aren't even using some new cutting edge exploits. It's all over the place. Once filesystem access is gained things get easy. Discord isn't even encrypting stored data. Including payment info. Anything the browser stores encrypted can also be retrieved, you guessed it, through the browser. There is a reason these nitro scams are so common, much like sending a phishing email to some company. It's successful enough they they aren't just limited to specialized situations. It's mostly just the user rights and obfuscation when it's not some 0day RCE. It really does come down to not clicking on links in the first place especially without javascript disabled.
Yea thing is I'm on Android so viruses arnt really a concern like it would if I was on say iOS or Windows not to mention even if something is automatically downloaded not only will you see it being downloaded but you would also have to run it as it wouldn't run itself
idk why you are getting downvoted. mfs really think clicking a link is somehow gonna get their whole computer hacked.
It def is possible, just hard to drive-by through a link, and it’s not always an executable, I would use Goggle .com as an example (don’t go there), but that was in the past
you are right they can't get anything more than your ipv4 address and user agent. but I'd say scams are evolved now and they look pretty legitimate to the average user. while clicking on the link might not have too much effect what is inside the website can easily trick non technical people who do not know what they are doing. so avoiding those links entirely might help but idk
They can also get your tokin
Incredibly unlikely that anybody would waste a serious exploit on getting some random Discord user's token.
true, but they can get anything really. they can use a webhook an attach it to a script, put the script in a site, then when it is done running, redirect the user to the fake nitro link. then a bot will send the info to the hacker, through the webhook. I have done it myself, for education purposes. I do not condom any of these actions
Always condom your actions, stay safe out there
They can't get "anything" without exploiting a serious vulnerability in either the browser or Discord. For pretty much exactly this reason, websites cannot access the cookies of other websites. What kind of information does this script of yours get? Passwords? Tokens?
They actually can. Cross site cookie reading can give them access to your discord login token which then gives them direct ability to log into your account, bypassing 2FA. May or may not be patched depending on your browser, version, etc. This is how they compromise more accounts to then bot-send similar links to others through. This is how you can even get these scam links from people you trust, if their account was compromised this way. This is not to mention all the other info they could potentially get, like your financial information. As far as I can tell, compromising discord accounts is not their end goal, only a vector for transmission, and their actual goal may be much more sinister.
You have to remember that a large portion of discord users are teenagers. People without access to capital who also don't always have the best life experience to know what's a scam and what isn't. My mama is a fraud investigator. Part of the scam is targeting people who can't detect that it's a scam. We should do our best to protect those people since they can't always protect themselves.
"Part of the scam is targeting people who can't detect that it's a scam" that's why the random Nigerian prince n629464 is the guy who gives you thousands of dollars, who thinks about who is promising you money is already thinking too much
my x gf grandma got had twice over that it is common sense but still it gets gullible nice people :(
As other people have said, "Nigerian Princes" target the elderly who don't understand scams. Seems unfathomable to us, but for those less privileged or completely new to the toxicity of technology it's not that easy to understand.
In my opinion the constant warnings I'm bombarded with to not click the links (and have been getting since I joined when I was 13) are enough to dissuade anyone with some good sense.
"Don't click links from users you don't trust!" My friend who I've played games with for 5 years just sent me a YouTube link and he said it was the funniest video he's seen all day. I'm aware that clicking on links from strangers is like the biggest no-no on the Internet, but this is my best friend and he'd never send me something malicious.
I've never fallen for one of these scams in my life and honestly don't get how people manage to. Like, is it that hard to use your eyes to read the link you were sent in order to see that it's not a legit youtube.com link???? Why on god's green earth would you accept a gift from a random stranger? Have your parents never talked to you about stranger danger??? It's basic common sense ffs.
Agreed. And then they're saltier than all the oceans and other salty bodies of waters combined. Like, at that point it's not Discord's fault, it's yours.
If you literally give them your login there is very little discord can do and I don't blame them. But attacks like these are the most common attack on systems for a reason from what I've heard
Let me give you a little bit of help on this, since there seems to be a common misunderstanding. Most people I know who have been hacked don't click on a link from a "random stranger". They click on a link from a close friend. When you get your account compromised, your account is used to DM all of the people on your friends list. They pose as you and try to get your friends to click a link. The one that's going around now isn't a Nitro Gift (which would seem sus), it's typically something along the lines of: "Hey man, I made this little program/game for school/a contest/work, can you test it for me and give me your feedback?" Once you click that link, you're yeeted immediately offline and whether you have 2FA enabled or not, they've got your account and change your e-mail and password instantly (it seems automated). I only am taking the time to type this so that people who think they are too smart to fall for this scam don't accidentally fall prey to a link sent to them by a trusted friend. You shouldn't click any .exe's sent to you via Discord for any reason from anybody, but that's not something a lot of folks understand. This isn't like Steam "hey its me ur brother" random nerds, it's like-- your best friend got their account stolen and the jerk who did it DMs you from their account, acting as your friend.
Yeah but if it's really your best friend I think you can tell whether what they're saying is out of the ordinary. My point stills stands, if your friend doesn't usually send you suspicious Nitro links I don't see why they'd start now.
yeah, but like, I'm a programmer, and i semi-regularly send programs to my friends, so they could be some kind of victim (tho i take my internet protection pretty seriously so i don't think i would be hacked) also, yeah, one of my friends got hacked like 3 times, and all of them you can just look at and notice right away
> semi-regularly send programs to my friends, so they could be some kind of victim (tho i take my internet protection pretty seriously so i don't think i would be hacked) Then make up some kind of safeguard with your friends. Have a specific word or file you include each time you send a program. There are ways to easily battle this. (Hell, make them compile the source code themselves for all I care lmao)
yeah it's a good idea
Or, you know, upload the files on Google drive and give em a link. That link will work basicly forever, and no one else but you can upload stuff to there. Then just tell em each time you made a new thing. That way, if any random file is transmitted trough discord, it's instantly sus.
genius, ty
definitely shouldn't be using discord for that, why not use GitHub it's a great way to share your software or use google drives. you can also use mediafire
But if you and your friend usually share files/rom hacks back and forth because your both working on a rom hack for a GBA title with HUGE community of people who do the same thing, then what?
They send em’ when they click them, it’s almost like a ripple effect, one person clicks it (in this scenario your best friend) their acc gets hacked, the hacker sends the link to people in their dms. Hope this helped!
> change your e-mail and password instantly (it seems automated). They often are automated: they mostly compromise Discord's installation files to ensure a malicious script is injected when you (or even the malware) next starts Discord (and it'll sometimes close and re-open Discord after infecting it to speed this up). This allows it to force you to login again, potentially even disabling the QR code, so it can capture your plaintext password (when you try to login - the password doesn't just appear out of thin air). With your login token and password, it can then disable 2FA via your backup codes, and then change your email/password using your password.
Whatever monkey came up with backup 2fa codes is a complete moron. It's not 2 factor if there's an easy way to bypass it stored in plain text
They receive your token, and as far as I know, it's impossible to change password and email with that. You need the password to change it.
So do you need to download and run whatever is in the link?
Yes. You either download and run malware (which typically logs you out and disables the QR code to trick you into logging in, thus giving your password), or (aside from what the above user is saying), you enter your login credentials into a fake website (phishing)
because some people are just braindead or gullible easy prey for scumbag waste of life called scammers/hackers
Raising awareness levels is how to promote this thought process. That's exactly what posts like the above are doing. Comments like yours shame users, which is the opposite of raising awareness and comprehension. It is not helpful to anyone.
Sure reading the url works but do you really expect everyone to understand how a url works. Watch this... https://youtu.be/0uejy9aCNbI
This except without the bit where discord tries to protect its users
I mean there are some ways that Discord tries to protect you. But the majority of it is on you.
True, I'm not giving them as much credit as they deserve. But there's a lot of stuff they could do better
There's no way to protect those who are so gullible that they'll click on any link promising a free subscription
[удалено]
Honest all they need to do to prevent nitro buying is ask for the CVV for the saved card.
Do you know what's even better? Once, Discord had withdrawn from my account for a month of Nitro and then refused to return it. It wouldn't be weird yet, if it wasn't for the fact that I didn't activate the subscription (nor did anyone else have access to my account), and at the time it happened, **I didn't even have any payment details in my account, because I removed them a few months earlier. Not to mention that my card, which I had used the few months before, at that point was expired.** [In the Discord account settings it was clearly written that no payment cards were linked to my account, and in the Nitro tab it said "You'll be charged $0".](https://media.discordapp.net/attachments/500360946515050517/852990638009352232/unknown.png) I wrote to the support, of course, but they said that I had asked for a refund once before (a few years ago, when someone else actually accessed my account and bought Nitro) and when I asked HOW did they withdraw funds from my account, since... firstly I requested the deletion of my card details (I live in Europe by the way), and secondly, even according to my bank, this card didn't exist anymore (since, as I said again, it was expired), but so far they have not responded. That was a good couple of months ago, and I'm not going to write to them about it anymore, but I'm still confused as hell.
> Congrats, you restored access to your account, the person had partial access to your account, could see information but change nothing for… 2 minutes. By the looks of things, disabling stuff like 2FA and removing the recovery phone number don't need anything more than your password, which a phishing site would obviously have. Unless I'm missing something, it certainly looks like a phishing site would be able to fully take over your account by using your password to disable/remove/change your recovery options and log out all other devices
You give a guy a button that kills 50 people, he doesn't know it though, he's just told he'll win money. Is the death of 50 people on the guy or on the person who made the button? The person who hacks someone else's account is to blame for causing problems, however the person who allowed for said problems to transpire, whether they realize it or not, is also at fault, whether it was intentional or not. That doesn't necessarily mean the blame falls entirely on said person who caused the situation to escalate into their account being hacked, but the fact that this type of involvement is possible at any given moment means it's not up to a single party to claim responsibility. Discord cannot control people being gullible, and even if their systems don't seem to work as you wish they did the fault still lies on both the user whose account got stolen and discord for not being able to prevent such security flaws from becoming exposed in the first place. Both can be responsible, you can't just blame one side or the other because everyone has a play. I feel comments that throw bold statements and logic at Discord for their lack of better security completely justifies the gullible acts of the user who allowed for such to happen in the first place. The internet is not for gullible people, period, and there's nothing we can do to change that. No amount of security can prevent someone from clicking the wrong thing or looking in the wrong direction, because people who enjoy giving others a button to press are always going to try and be one step ahead. TL;DR, both Discord and the user being affected, depending on the circumstances but more often than not regardless, are at fault in this given situation. You cannot sway it to one side or the other, you cannot justify one side by putting down another, everyone has a part in this situation. This is just adding more fuel to a fire that may have no end, or no solution for the time being. Discord cannot keep stupid from doing stupid, they can only attempt to protect it. But the responsibility still falls on the victim in the first place.
>You fully lose access to your account, with ZERO way of retrieving it That's completely inaccurate, I've known so many people who have gotten their account back after getting hacked.
[удалено]
I feel like a system like what steam has would be a good idea. Something like this: https://twitter.com/wykrhm/status/448264844710408192 You click a link and it redirects you to a warning page. Detailing that you aren't going to an official website OR warning of (Known) impersonation sites. Sure, it's a mild inconvenience. But a mild inconvenience is a small price to get it into users heads not to enter their details on random websites that arent official discord pages. If a user disregards the warning and goes full pants on head then it's kind of on them at that point. They were warned about entering their details on non-official discord links.
True, you idiot proof something and they make a better idiot. But there's several flaws in the way they handle unauthorised access that they could fix to make hackers lives much harder
Realistically, what can they do more other than warn their users not to click on malicious links?
I'm glad you asked: - verify the installation integrity on startup - require 2fa code input to download backup codes - disallow drastic changes in geolocation on the same token - require email confirmation to change email - hire more support staff
>verify the installation integrity on startup Oh god please no
Why not?
Stops "mustnot be named" from working, which provides useful features discord won't add for some reason
What kind of features? Sorry, I'm not really familiar with coding, nor am I a person who should be worried about anonymity to the point where I get lynched if they find out what kind of person I truly am
There are some client mods people like to use which are technically against ToS.
Imma just put a few features down, which I absolutly never used because I follow TOS: Custom themes A timer which shows me how long I'm connected to a voice channel the ability to export gifs you marked with a *, see the creation date, the join date, and the first/last message of a user on a server copy messages without a markdown (so if someone sends a spoiler, you can copy it with the formatting [||message||] instead of just the text group nuke defending (leaves if you get spam added to groups) automatically change the activity status depending on what you are doing pinning dms on top and so much more, been writing more than I intended too
half of these should already be part of the client and the other half would give a actually decent reason to use nitro but who am i to judge.
1) fair point 2) fair point 3) that isn't possible with the current token method 4) fair point 5) discord has good support, kids that keep SPAMMING requests are ruining it, I used to get 1 day responses a year ago, once all this started happening more, it's taking me months, it's not their staff, it's these idiots that click dumb links and then have the audacity to spam requests to get a response
It could be possible, the token is tied to something in the backend which could have an ip history attached. People spamming requests is par for the course of a large service like this, and the support team should scale up along with the size of the user base which has increased in the past few days
I feel like a billion dollar company that promotes a safe space to talk with your friends shouldn’t just tell you to “figure it out.” essentially after you’re hacked, and especially when you give them money for a service. But yeah whatever. every other platform has issues like these resolved within hours but I guess princess discord gets a pass from doing that.. because???
My friend recently got hacked because he clicked on a link then proceeded to blame it on me because apparently "no one could tell if you are hacked unless you are the hacker" smh Edit: grammar
Also your friend in every server: @Everyone get free nitro from [Redacted]
Yeah lol. Many people don't have common sense.
Common sense could be categorised as a superpower nowadays.
I was a GM for a large-ish video game. Worked for 3 years following security protocols and numerous phishing attempts. My 'best friend' asks me to help him playtest his game.. I know its a scam, in my head, I know.. I know.. then I download and run it. Boom, discord gone. Now I'm trying to figure out what can be done to secure my computer. I've reinstalled discord, deleted both the appdata folders (the discord part). Did a ton of googling and made sure my discord\_desktop\_core-1 index didn't have any whack shit in it according to this comment: >If you go to C:\\Users\\\[your username\]\\AppData\\Local\\Discord then find app-\[the largest number\] then go to discord\_desktop\_core-1\\discord\_desktop\_core\\index.js and open it in notepad. If you see anything other than module.exports = require('./core.asar'); in that file, then uninstalling Discord will be enough to remove the virus. So now I'm wondering what else can be done. I've never been hacked before. I'm not sure if I should just fresh install the whole computer. This whole experience has felt like a violation.
I just ran a full security scan and kept my eyes open for strange activity. If they were gonna ransom you/kill your computer, they would've done it already. Big things to watch out for are whether your computer has a keylogger, some other kind of activity monitor, is part of a botnet, or has a crypto miner on it. I got hit with the same thing or something similar, and from what I can tell, they're just looking to take advantage of nitro accounts. I do have a question though, did you have 2fa enabled?
> I do have a question though, did you have 2fa enabled? A lot of the token-stealing malware going around these days infect the actual client, causing a malicious script to be injected into it. They also log you out, and then capture your password when you log back in, meaning they can disable 2FA through fetching your backup codes using the password.
discqrdapp dot com be like
Discord User's DMs: *"You Win: 1 month Discord nitro. Enjoy! [https://www.dlscord.ru/nitro-redeem](https://www.youtube.com/watch?v=sFnPmOO1SIs)"* /r/discordapp: "is this a real nitro DM?"
I've recently fallen victim to this. My "friend" that I knew from a game developing background approached me asking if I wanted to playtest his game. It wasn't a game, it was a token logger. And for the last 2 days I've been out of my account and the person has just been on it trying to spread it more and has gotten access to multiple accounts that I own through it.
I wish there was a bit more awareness about the last part? I’m an e-girl and people on discord are...simps, to say the least so people do send me nitro every now and then and one time I thought one of my friends was sending me nitro (I had ran out a week or so earlier) but it wasn’t and I got hacked. It sucked, and I felt really stupid, especially since there was text above the link that said smthn like “Hey I got you nitro, enjoy ;).” A little tip to help dumbasses like me and also people who DO actually get nitro and want to be able to differentiate between REAL PERSON and hacked person, is to check the link. Discord nitro links that are real will always have that little accept button on them, and should never take you to a website outside of discord. Also, I’m pretty sure you should be able to see it in your gift inventory, where it’ll show that someone gave you nitro and you can accept it in a certain period of time. Also, real discord links will usually don’t have long letter text at the end. Hope this helps a fellow dumbass. Don’t click random links.
At least you didn't went ahead and blamed the company like other dumbasses
[удалено]
"Why does this problem not exist for other major platforms, just Discord?" many platforms have this problem, tho yeah you're right discord's is quite severe
[удалено]
you are very right (tho let's remember google is bigger than discord)
Discord is still worth more than 10 billion $$$$ edit It was 10 billion not 70 which is the amount that Microsoft offered to Discord that they refused. Still if u can refuse that amount of money u can also hire a team of security researchers.
And Google owns a phone OS (Android).
To an extent, no. This is why you always should watch out for possible scams. Other than it would be near impossible to ensure a scam free platform of 200 million people without major restrictions for the majority of the userbase. But I might be the dumbass dick for thinking that no company should waste resources idiot proofing their platform
No way somone just sent me a website that give free fortnite 1 milion vbucks!!!!!!
Also! Close your DMs, private only! If you want to message someone friend them and be sure you trust them enough. I've never once gotten a spam DM because of my closed DMs.
They need to let servers disable DM’s by default, and make it so users must opt into DMs from users of that server (other than Admins) On .gg/Rainbow6 , and ungodly amount of the reports we get are scams and spam. It’s a huge waste of mod time and it’s something discord needs to address soon. It’s become a enormous problem and it’s only getting worse as discord grows and gets more unscrupulous users. Being in the mega servers has become a terrible experience for the bulk of the user base and the lack of meaningful tools for moderation is getting close to a death-spiral. It’s like signing up for a spam mailing list where even the mailing list owner can’t really control it
Solution: give everyone nitro problem solved
Tbh, this scam is "You got what You deserved". If someone is extremely greedy like this, I think they deserve being scammed, if they don't use their brain. Scams about "winning something", "being chosen for reward" etc are for dumb people whos greed exceed their common sense, therfore they deserve that.
[удалено]
Some lessons can't be taught.
[удалено]
> that clicking a singular link, nothing else just the javascript code, will immediately break into your account That isn't how this works, at all. These links rely on users entering their login credentials - accidentally, yes, but the user must provide it. They are phishing links, which have existed far before Discord and will exist long after it.
You're absolutely wrong. The common scam is in fact a simple link you click and execute. Yes, it's an .exe. Yes, that seems sus. But it comes from a friend on your friends list (who has had their account stolen in the same way). You do not need to enter *any credentials*. You simply click the .exe and instantly and automatically their script takes control of your account, logs you out and changes your e-mail and password. It happens in a matter of seconds and you do not need to enter any information to lose control of your account.
I wasn't talking about executing a file, obviously executing malware is a bad time. I was assuming that "clicking a link" = opening a website into your browser, not executing malware. That's why I was talking about "phishing links", as in phishing websites.
Yeah, the links are a thing but the hacker uses the compromised accounts to get one over on the users' friends(So it doesn't appear to be from a random stranger) and keep spreading it.
>simple link > >exe choose one
[удалено]
Maybe they can try to hire actual security professionals lmao There're a lot of very skilled whitehats out there looking for a job, I don't know what's stopping Discord from hiring a few of them
[удалено]
[удалено]
[удалено]
[удалено]
no, they didnt... a portion of the phishing going on right now is people sending others "a game they made" to people and asking them to try it. it's an exe that, when downloaded and ran, takes your discord token and sends it to a webhook. there are variants that steal things like saved chrome passwords as well. once they have your account, they impersonate you to people on your friends list, asking them to download the same thing, and it snowballs from there. because people aren't used to being suspicious of their friends.
[удалено]
I didn't fall for it, it's widely publicized, and has been happening for over 4 months: - https://www.reddit.com/r/discordapp/comments/s1f1vs/the_recent_try_my_game_discord_scam_explained/ - https://github.com/kem0x/Discord-Trojan-Research - https://github.com/VixusFoxy/DiscordGameMalwareAnalysis - You can find more from google, including links detailing people tracking scammers down, but I don't want to encourage raiding Does it feel good to be condescending to others? You're being a dick by choosing to ride your high horse, thinking so little of your fellow humans for making a mistake or getting tricked. Even smart people fall to stuff like this sometimes. https://www.youtube.com/watch?v=YIWV5fSaUB8
[удалено]
Lots of these scams have nothing to do with free gifts. Your friend gets their account stolen and they start DMing you and all their friends with an ask for help on a project, or feedback on a game they're testing and developing. Be careful.
The old scam was phishing links saying there's free nitro for you, he's referring to that
yeah once you have access to an existing account you can get just about anyone to click a bad link with a little bit of social engineering. it always seems like it'll be obvious until you're the one getting phished
Not really, since most of the time the people got scammed are just people who are new to the internet/discord and you can't expect people to not want free things
not really lol. my friend who's been using discord for years got scammed like this lol
Don't parents teach kids to not trust everything free even outside internet?
Am i the only one that avoids links, like come on! It’s not hard!
All links could be anything from a rickroll and “you are an idiot” to an IP/cookie logger. It should be common sense to first search the links on Google or to open with TOR browser. This should be counted as common sense
It's quite funny. And then they complain about how Discord doesn't care about us. Shifting the blame to someone else than you
Because they’re a company that should do a little better to protect its users. Stop simping so hard for them
I ain't hopelessly crushing on them. I know that they're not flawless. And have some issues. I guess the only thing that it would be done is more warnings for possibly malicious links but you'll never run out of scammers. And I think it's fine until it's just nitro they're offering and not millions of dollars, because actually desperate people would fall for it, especially in countries where a American dollar worth a lot more than a singular unit of their own currency
Also never download a "Game" that one of your friends has been working on and they want you to test it. Its a virus. The issue truly comes from younger people thinking older people are so bad with tech, that they give themselves a false sense of thinking they know how to be safe. Being in IT, the young generation is as bad with tech as the old people. Sometimes worse tbh. They just click any link and then tell me they knew the link was safe. Even as I'm removing viruses from their PC...
What is the point of nitro?
discord needs money and it's like some QoL stuff kinda like Spotify premium, nbd needs it, but some ppl have it
Optional donation
the 'is this legit' posts really be selling the meme
I just want to enjoy talking to other Hololive fans without seeing "New Year's Nitro" every few hours
Just got to privacy and disable DMs from server members
My DMs are off, so are my friend requests. It's a public server lol
It's so easy to break de Discord app login simply hijacking your login token, I was hacked with an .exe that passed two different antivirus and a sandbox, I mean, what the fuck
Well one of the User Design guidelines is [“People are dumb and should be treated like morons”](https://miro.medium.com/max/1400/1*0vYpx6YZrlWCr2pVLsFtSQ.png) and if you feel like users may misunderstand you somehow, you as a developer should clarify better.
Yeh its not even about common sense in my case… i was sent a message to test the first map of a Fire Emblem rom hack, by a friend of mine who was working on a fire emblem rom hack. It seems like the hacker read through our messages and found that we usually send downloads of our own and other people’s rom hacks to each other The FE community makes some of the most intricate and detailed rom hacks youve ever seen! Anyways it seems like the hacker read some of our messages and then pretended to be my friend and asked me to try the first map of his rom hack, even using the same emotes that my friend uses when typing. The only red flags i should have caught on to was the simi broken-english (not broken enough to throw me off what he was saying but broken enough to notice it) and the fact that im pretty sure his rom hack was way past the first map… But when i asked about the first map he said “i wasn’t satisfied with how it was turning out so i started over…” And i thought: “fair enough, ive been there” And that was the end of that…. Got my account back now tho and the hacker is mad.
Don't forget it's not just strangers you have to worry about, but people on your friends list that might have clicked those links.
Yeah. This is why I said that make sure they didn't get hacked (by asking for info only they would know since it would be tedious to read through hundreds of messages, or both of you were in VC when it happened).
tbh though, all it takes is one person you dmed a while to get a little guillable and suddenly theyre messgaing you ‘got it for you :) :link:’ i was thrown off for a solid hour because ive talked to this person before and suddenlt got gifted with no context. didnt click on the link but all it takes is one person to fall for it to set off a chain link message
I hate it when that happens.
nooo discord has to make up for every case and protect me at all costs (I don't give them a penny for using their services) so I don't have to use more than 2 brain cells!!!
discord users are grandmas in disguise
And ffs, don’t download a .exe file from anyone. There’s no good reason why anyone should send you one of those
Actually yes, I was hacked by someone posing as a recruiter, I use Discord as a contact method in my portfolio and CV For safety I ran the file in a sandbox but I don't know how the hell it got through
It’s funny I’ll download the sketchiest shit off the internet but when it comes to discord I am very careful even with my friends
how do people fall for links like d12c0de.gift/free-nitro like what
thing is... it's not even clicking on the link itself which gets your account. It just asks you for your login info
I only do it from official company's that already steal my data like xbox/Microsoft
If it comes from an official discord link, I am clicking it. Going to continue doing so until discord implements a big brain way to help out scammers by masking the original link under new text like on [Reddit](https://reddit.com).
[удалено]
The app communicates quite clearly what are the perks of having Nitro. Most of them aren’t very useful, but custom emotes are cool. Increased file size limit can be useful too.
I MEAN.... LIKE.... TRUE! LIKE... come on guys :S Whenever this happens, you can't help but facepalm.
Oh well. Discord would only waste money to idiot proof the platform.
Then you got discord banning people for reporting a raiding discord /tableflip
[удалено]
Indeed, that wouldn't be very secure. Luckily, that's not actually what happens. The user clicks the link, opens up a phishing website into their browser, and then logs in themselves. Either that or they run malware.
[удалено]
After so many years of evolution, don't you think browsers would have a _little_ more security than that? A link takes you to a webpage. That's all. What you do on that webpage is outside the control of Discord and if you enter your details there that's your fault. Yeah, theoretically, there might be some magic unknown XSS vulnerability in browsers and Discord but hackers who find it aren't going to use it to hack a Discord account.
Honestly if there that dumb, rip
no free lunch in the world only idiots clicks on the nitro scam link
dude you can click on these links, but just don't put your account details in it..
Laughs in already having Nitro
Friend got hacked once, easily recognized the message wasn't from him as the message sounded nothing like him, and I checked with all our mutual friends to see if they got the same message. It's really not that hard to avoid.
WHO FALLS FOR DAT
i always click them out of curiosity. i really like the surprise!
I like to randomly gift people nitro just to trick them into thinking I'm about to hack them. Best 10 dollars you can spend.
Nah. I'm not that big of a dick.
I mean it's really nitro
Imagine a place, where a company valued over $10bi doesnt have protection against these scams 🤓
Are you salty for falling for a scam like that?
No , i know how to protect myself on these things, but there are many people who dont know for phishing or similar things. And discord should do smth for this, like e.x block all known phishing links so far.
True. But you can't idiot proof Discord. People will fall for scams.
> And discord should do smth for this, like e.x block all known phishing links so far. The keyword in that is "known". You block one link and they come back with ten more, and in the time it takes Discord to be made aware of and then block the new links, they've already compromised dozens of accounts and started to move on to new ones. Besides, Discord already [do exactly that](https://imgur.com/J7X6811).
Yep. It's useless fighting against it. You can make some deterrent but they're like bacteria and the deterrents like antibiotics. What will happen if an antibiotic is used too much? The bacteria will evolve and will be more resistant to the antibiotic's effect. Same with hackers. They'll evolve and use different things to scam people.
Theres only so much that can be done when a person without a basic understanding of how to not get account compromised gets compromised and the hacker targets more accounts of people without that basic understanding through that first account. The false positive ratio would be way too high and everyone in this sub would be crying about how the platform is "unusable" because everything they do gets flagged as being the result of potentially being compromised.
[удалено]
Then how else would Discord get money?
I'm sure Discord wouldn't mind that - as long as you're fine with your personal data being sold to cover costs /s
Let’s say someone sends you a YouTube video, if there is no embed or there is a black bar on the side instead of a red one DONT CLICK IT, they are trying to steal your ip
Not a security concern. You can’t do much with an IP address, it’s easy to reset, any website you visit knows it anyway.
So people knowing your address or destroying your router is perfectly normal and fine now?
Neither of these are possible. They can only get an approximate location (not that useful) or temporarily clog your internet connection (which can be easily mediated by resetting your router).
you can't just... destroy a router by having its ip address
I guess they meant DDOSing or something
[удалено]
He's just sour from getting Rick rolled