A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.
This attack involves malicious Javascript that is added to oneβs browser by dragging a component from a web page to oneβs browser bookmarks.
According to interviews with victims, several of the attacks began with an interview request from someone posing as a reporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to be the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.
As shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord server to the bookmarks bar in oneβs Web browser. From there, the visitor is instructed to go back to discord.com and then click the new bookmark to complete the verification process.
However, the bookmark is actually a clever snippet of Javascript that quietly grabs the userβs Discord token and sends it to the scammerβs website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement in the targeted Discord about an exclusive βairdrop,β βNFT mint eventβ or some other potential money making opportunity for the Discord members.
The unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to connect their crypto wallet to the scammerβs site, where it asks for unlimited spend approvals on their tokens, and subsequently drains the balance of any valuable accounts.
Meanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are deleted by the compromised admin account.
Nicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an βopen-source protocol that aims to allow businesses and individuals to exchange and monetize data and data-based services.β On May 22, an administrator for Ocean Protocolβs Discord server clicked a link in a direct message from a community member that prompted them to prove their identity by dragging a link to their bookmarks.
Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administratorβs account to send out an unauthorized message about a new Ocean airdrop.
Scavuzzo said the administratorβs account was hijacked even though she had multi-factor authentication turned on.
βA CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,β was how Scavuzzo described the attack. βIβve seen all kinds of crypto scams, but Iβve never seen one like this.β
In this conversation, βAna | Oceanβ is a compromised Discord server administrator account promoting a phony airdrop.
Importantly, the stolen token only works for the attackers as long as its rightful owner doesnβt log out and back in, or else change their credentials.
Assuming the administrator can log in, that is. In Oceanβs case, one of the first things the intruders did once they swiped the administratorβs token was change the serverβs access controls and remove all core Ocean team members from the server.
Fortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the channelβs settings reverted back to normal.
βThankfully, we are a globally distributed team, so we have people awake at all hours,β Scavuzzo said, noting that Ocean is not aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes. βThis could have been a lot worse.β
On May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in the deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.
On May 27, Nahmii β a cryptocurrency technology based on the Ethereum blockchain β warned on Twitter that one of its community moderators on Discord was compromised and posting fake airdrop details.
On May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.
KrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these attacks and asked to remain anonymous.
βI do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,β the source said. βI played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews website using several accounts.β
The source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were blocked from the Discords he helps to secure.
βSince Iβve been doing this for a while now, Iβve built up a substantial database of Discord users and messages, so often I can see these scammersβ history on Discord,β the source said.
In this case, he noticed a user with the βCEOβ role in the fake Cryptonews Discord had been seen previously under another username β βLevatax.β Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz whose Github page linked to the very same Discord ID as the scammer CEO.
Reached via instant message on Telegram, Levatax said heβs had no involvement in such schemes, and that he hasnβt been on Discord since his Microsoft Outlook account was hacked months ago.
βThe interesting thing [is] that I didnβt use Discord since few months or even social media because of the political status of Turkey,β Levatax explained, referring to the recent election in his country. βThe only thing I confirm is losing my Outlook account which connected to my Discord, and Iβm already in touch with Microsoft to recover it.β
The verification method used in the above scam involves a type of bookmark called a βbookmarkletβ that stores Javascript code as a clickable link in the bookmarks bar at the top of oneβs browser.
While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.
The domain name registrar Freenom, whose free domain names have long been a draw for spammers and phishers, has stopped allowing new domain name registrations. The move comes after the Dutch registrar was sued by Meta, which alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.
Freenom is the domain name registry service provider for five so-called βcountry code top level domainsβ (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has always waived the registration fees for domains in these country-code domains, presumably as a way to encourage users to pay for related services, such as registering a .com or .net domain, for which Freenom does charge a fee.
On March 3, 2023, social media giant Meta sued Freenom in a Northern California court, alleging cybersquatting violations and trademark infringement. The lawsuit also seeks information about the identities of 20 different βJohn Doesβ β Freenom customers that Meta says have been particularly active in phishing attacks against Facebook, Instagram, and WhatsApp users.
The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.
βThe five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customersβ identity, even after being presented with evidence that the domain names are being used for illegal purposes,β the complaint charges. βEven after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.β
Meta further alleges that βFreenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse,β and that it monetizes the traffic from infringing domains by reselling them and by adding βparking pagesβ that redirect visitors to other commercial websites, websites with pornographic content, and websites used for malicious activity like phishing.
Freenom has not yet responded to requests for comment. But attempts to register a domain through the companyβs website as of publication time generated an error message that reads:
βBecause of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.β
Image: Interisle Consulting Group, Phishing Landscape 2021, Sept. 2021.
Although Freenom is based in The Netherlands, some of its other sister companies named as defendants in the lawsuit are incorporated in the United States.
Meta initially filed this lawsuit in December 2022, but it asked the court to seal the case, which would have restricted public access to court documents in the dispute. That request was denied, and Meta amended and re-filed the lawsuit last week.
According to Meta, this isnβt just a case of another domain name registrar ignoring abuse complaints because itβs bad for business. The lawsuit alleges that the owners of Freenom βare part of a web of companies created to facilitate cybersquatting, all for the benefit of Freenom.β
βOn information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,β Meta charged.
It remains unclear why Freenom has stopped allowing domain registration. In June 2015, ICANN suspended Freenomβs ability to create new domain names or initiate inbound transfers of domain names for 90 days. According to Meta, the suspension was premised on ICANNβs determination that Freenom βhas engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest.β
A spokesperson for ICANN said the organization has no insight as to why Freenom might have stopped registering domain names. But it said Freenom (d/b/a OpenTLD B.V.) also received formal enforcement notices from ICANN in 2017 and 2020 for violating different obligations.
A copy of the amended complaint against Freenom, et. al, is available here (PDF).
March 8, 6:11 p.m. ET: Updated story with response from ICANN. Corrected attribution of the domain abuse report.