Skip to content

Instantly share code, notes, and snippets.

@linuswillner
Last active May 30, 2022 01:43
Show Gist options
  • Save linuswillner/d3f3187a5b412ef3785b3a8c2d143f83 to your computer and use it in GitHub Desktop.
Save linuswillner/d3f3187a5b412ef3785b3a8c2d143f83 to your computer and use it in GitHub Desktop.
Public service announcement from The Coding Den staff about social engineering being utilised as an attack vector for server takeovers

Today, on the 27th of March 2021, The Coding Den was subjected to a social engineering attack that lead to a brief hostile takeover of the server before the situation was brought under control by staff. We are sharing this statement as a public service announcement on the methodology used in the scam and possible remediations to prevent it, in order to help other staff teams avoid becoming victims of it.

Methodology

The attack proliferates as follows:

  1. The attacker will look for a staff member who is presently offline. This will ensure that it appears as if the staff member's account was globally banned and forcefully booted offline.
  2. It is within the attacker's interest to choose a target with the highest possible privileges (to do the maximum amount of damage), meaning that they will likely prefer administrators over moderators and so forth.
  3. The attacker will create a new Discord account with the same name and profile picture as the target.
  4. The attacker will approach a staff member, claiming that their main account got disabled for some (they may state which) terms of service or community guidelines violation. They may even post a screenshot of the login screen of them being allegedly unable to log in. However, one giveaway may be that, should they not know the victim's email address, they may obscure the email address from the image. See the below image and note how the email address is conveniently missing from the picture.

"disabled"

  1. The attacker may also try to imitate the speech patterns and vocabulary of the person they are impersonating to make the scam more convincing.
  2. Should the staff member fall for the attack and (re-)grant the attacker their privileges, the attacker now has free reign on the server and can do whatever they please.

Remediation

Here are some remediations for this attack as suggested by the community, including us. We will pin useful contributions from the comments in this thread here to give them added visibility.

@linuswillner:

We recommend that staff teams set up a reliable protocol for authenticating staff members who have lost access to their accounts. One of the more straightforward ways is to set up a chat channel on another platform (Examples include text messaging platforms like WhatsApp, Telegram, etc.) and require contact via that forum if a staff member loses access to their account on Discord. There are other options, too; the core requirement is that staff members need to be able to reach one another on a platform other than Discord.

Another option is to set up a secure authentication system that requires staff members to provide some sort of credential that is only known between them (as in the real person) and key members of the staff team. Asking the person to log in to an internal system and make some kind of benign change may for example be used for this.

@lemonsaurus (comment):

One thing you may want to consider is that these attacks are extremely time-critical for the attacker. If they impersonate someone and that person comes online, the whole thing falls apart.

For that reason, it's worth considering to delay taking any action that grants additional permissions until a certain amount of time has passed, even if you do believe this person to be who they say they are. If you wait 72 hours before taking action, chances are pretty good that the person who was offline might have come back online, unless they happen to be on vacation or something.

Even better is if senior staff in an organisation know each other's voices and faces, then a video call could be used for verification.

@itsHobbes (comment):

External communication is always useful, but equally vulnerable to loss of access. I would recommend some additional items:

1. Don't do anything without multiple levels of verification. - Ask them about topics of conversation in DMs and staff channels. Ask them to post on their social media, discord, email, github, etc.
2. Communicate with the rest of your staff team before doing anything. - The staff member that may or may not have lost their account might just be invisible and DMing another staff member. Someone else on the team may have private comms with the individual. There are many opportunities for others to have some idea of what is going on.
3. Don't rush - Losing access to your discord account for whatever reason isn't a reason to rush into things. The staff team should be able to moderate without an individual for some time, and that individual should be able to cope without their discord account while discord sort out whatever problem they have.

@HexF (comment):

Another way I could see verification is through the use of encryption technologies such as OpenPGP, and have a staff member digitally sign a message to prove they are who they say. This way an attacker has to effectively compromise a staff members system, and keylog the password for the key, making it incredibly difficult to do.

Author's note: While this is a very decent approach, and probably the most cryptographically secure one at that, it's probably quite a lot to ask from someone who isn't tech-savvy and already acquainted with the PGP keychain. It may work for communities where staff members fit the above description (like those centered around science and technology), but not all staff teams fit that description. Furthermore, it's probably the option that requires the most setup in the tech and procedure department here.

Conclusion

We wanted to share this public service announcement to alert other staff teams on Discord of this kind of attack spreading throughout the platform and how to identify the (admittedly few) warning signs. Should the attacker be allowed to gain Administrator permissions, for example, they can do significant damage to the server - including deleting channels, mass banning members, and so forth.

We hope this statement keeps other staff teams from falling for this same attack. Stay safe.

Signed,
The Coding Den staff

Written by:
Linus Willner
Co-Owner, The Coding Den

@passivedragon
Copy link

The suggested solutions seem a bit overengineered to me, discord offers easy personal verification and has been for a good while, voice and video calls.
Staff should know each other to a level that enables effective cooperation and coordination, if that doesn't reach a level staff interacts via VC, then that may be that, but it is quick and effective, a no-tolerance policy about avoiding or skipping VC verification can serve as a pretty solid bar. To be noted as well, text and voice communication inherently differ for the vast majority of people, which makes it even easier to identify scamming.

@jamieatYGR
Copy link

From the raiders myself, I've done this too 100s+ partnered servers / influencers, 3.5mil member count to be exact, but we have stopped. By leaking this method, your allowing other nukers to use this ( not as well as me :) ) and use it on other servers... Bare in mind theres over 2million servers on discord people can use it anywhere. Also, getting discord staff to threaten 15 year olds to involve a legal department over discord servers ( Edward ) doesn't help either.
Anyways, peace.

@Sphexi
Copy link

Sphexi commented Mar 29, 2021

By leaking this method, your allowing other nukers to use this ( not as well as me :) ) and use it on other servers.

Social engineering isn't new and it's not really a "method", nothing here is earth shattering at all. The benefits of documenting what happened and having an open discussion around potential methods to combat it far outweigh some people finding out that social engineering exists.

@Twisted-Code
Copy link

Twisted-Code commented Mar 31, 2021

By leaking this method, your allowing other nukers to use this ( not as well as me :) ) and use it on other servers...

as @Sphexi said, there's nothing particularly new to this attack. Presumably the only reason it even worked was that Linus wasn't fully on guard to think about the authenticity of the attacker. (I.e., the same reason so many other social engineering attacks work.)
@linuswillner as I said in DM a few hours ago, thank you for the transparency and I don't hold it against you. Could have happened to anyone. Thanks also for the write up detailing what to look out for, as well. Although I don't think my personal server is currently vulnerable to this (due to size), that says nothing of the future and besides, stuff like this is always at the very least intellectually interesting to me.

@greenbigfrog
Copy link

I don't think using visual and or voice checked via online is a valid way of verifying authenticity anymore. In person, sure, but that's not really what we're talking about here.

I'd like to emphasize the "No need to rush" part mentioned above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment