Discord is a free communications app that lets you share voice, video, and text chat with friends, game communities, and developers. It has hundreds of millions of users, making it one of the most popular ways to connect with people online.
During our PreCrime internet scout of November 16th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of Discord.
The Attack
|
Malicious domain dyne-verification.deedenio[.]click/login |
Legitimate site discord[.]com
|
Why is this a threat ?
This malicious domain is an example of brand impersonation, where a threat actor impersonates a legitimate brand in order to steal sensitive information such as credentials and bank account numbers. In general, brands such as Apple, Netflix and DHL are popular targets for brand impersonation due to their trusted name as well as large and global customer base. Threat actors use various techniques in order to trick victims into believing the fake website is real. One such technique is typo squatting, wherein threat actors register a domain name that is similar to another organisation or brands own domain name. In many cases this includes exchanging a letter in the URL to something else, or adding another letter in the hopes that victims will not notice. An example of this could be, exannple.com, instead of example.com. Brand impersonation does not just lead to stolen credentials, but could also lead to theft of personal data and financial details, and/or result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor.
In this instance, threat actors are targeting Discord, an instant messaging social platform with over 300 million registered users, over 140 million monthly active users and more than 900 companies using Discord. With such a large customer base, threat actors are more likely to conduct a wide scale attack, targeting many individuals and companies at the same time in hopes that someone will fall for the scam.
The malicious domain leads users to a scam Discord login website where customers are asked to sign into their account using their email or phone number and password for Discord. The malicious domain works very similarly to the legitimate site, however, with small differences. First, the QR code that appears on the legitimate site allowing users to login with the Discord mobile app, never fully loads on the malicious site. Second, when clicking on register account, two links for Terms of Service and Privacy Policy appear as shown in the image below.
When clicking on the links on the malicious site, they lead the user to an error site (Cannot GET /privacy and Cannot GET /terms). You can see the difference with the legitimate domain in the images below.
Malicious site
Entering your credentials into this site will give the threat actor access to the users private details. Once the credentials are stolen, they will likely be put for sale on dark web marketplaces, giving other threat actors access to individual user data and the ability to conduct further attacks. Some of these stolen credentials are likely to be work credentials, which would give threat actors access to a company’s internal network, leaving them vulnerable to financial loss, sensitive and confidential data leaking, as well as further cyber attacks such as ransomware. The attack path is illustrated below, detailing how a brand impersonation domain can lead to further attacks.
With 130 million in revenue in 2020: a cyber incident of Discord could result in the loss of up towards 520.000 USD - 1.170.000 USD
Companies connected to Discord could run the risk of a data breach which as of 2022 could result in the loss of around 4,35 million USD.
If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand USD.
Newly registered site - November 15 2022
Malicious domain impersonating Discord asking users to validate their login credentials
Domain registered in Saint Kitts and Nevis
IP addresses engage in malicious behaviour
SSL certificate expires after three months
Every site on the internet is found using an IP address, which is 'translated' from the domain name that is typed in. In the graph below, we can see that the malicious domain resolves to three IP (Internet Protocol) addresses with over 2000 communicating files (a mix of .APK, .EXE, .PDF), many of them malicious (not all pictured). This shows that the IP address has previously hosted malware and been connected to other domains with malicious activity giving the IP address a low reputation that will most likely pose a risk to internet users who come across it by engaging in malicious behaviour.
The Technical report below helps emphasise the difference between the malicious domain, and the legitimate domain from Discord. The legitimate domain is registered with CloudFlare, Inc. whereas the malicious domain is registered under Tucows Domains Inc. Additionally, the SSL certificate for the malicious domain expires after three months indicating malicious intent. Legitimate companies will more commonly ensure their certificate lasts at least 1 year. See further details below.
|
Domain |
dyno-verification.deedenio[.]click/login |
discord[.]com |
|---|---|---|
|
Registrar |
Tucows Domains Inc. |
CloudFlare, Inc. |
|
Registrant Organisation |
1337 Services LLC |
Data redacted |
|
Registrant Country |
Saint Kitts and Nevis |
United States |
|
Domain Creation and Expiration |
2 days old Created on 2022-11-15 |
8,046 days old Created on 2000-11-06 |
|
Certificate |
Issued by: Google Trust Services LLC Issued to: *.deedenio.click 14-11-2022 -> 12-02-2023 Valid for 3 months |
Issued by: Cloudflare, Inc. Issued to: Cloudflare, Inc. 19-12-2022 -> 19-12-2023 Valid for 1 year |
|
Name Servers |
dolly.ns.cloudflare.com sullivan.ns.cloudflare.com |
gabe.ns.cloudflare.com sima.ns.cloudflare.com |
|
MX record |
N/A |
aspmx.l.google.com aspmx2.googlemail.com aspmx3.googlemail.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com |
|
Last seen active |
17 November 2022 |
17 November 2022 |
|
IP address |
104.21.93.67 Virginia, United States AS13335 Cloudflare, Inc. ISP: American Registry Internet Numbers
172.67.206.44, 72.64.80.1 Toronto, Canada AS13335 Cloudflare, Inc. ISP: Cloudflare, Inc. |
162.159.128.233 California, United States AS13335 Cloudflare, Inc. ISP: Cloudflare, Inc. |
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :
Pay close attention to the URL
Check connection security indicators (the lock)
Read emails carefully
Look for trust seals
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.