Dissecting a fake Discord site.
Okay so its the year 2021 and we’re almost in 2022. And technology has been evolving much more and we’re more reliant on communicating online using our accounts. One of the most booming industries right now is Gaming, and Valve with it’s Steam platform has been around for a while and is successful.
But recently they have been bad actors trying to steal accounts through phishing.
If you’re not sure what phishing is, phishing is a social engineering method used to steal user’s data. A company could perform phishing on it’s employees to test their security. But a bad person could perform phishing to steal user’s data such as an account.
Now enough of the boring stuff let’s get real.
I was on my day and I saw this weird link in a discord server.
Free nitro for everyone! http://dlscord.org/gift/[REDACTED]
As someone who’s been looking at URLs for a long time, I can obviously see that this is a phishing site. For those who can’t see it.
Notice how the
i is replaced with an
l . Sneaky bastards. So what to take note from here is always look at URLs!
I decided to stop what I was doing and opened my VM for safety to test out this site.
Look’s real does it? Well, it’s easy enough to copy a site so they can make it very believe-able as they want.
If we click on the links to
Download,Safety,Support and login. They actually bring us to the official Discord page! But do not let your guards down! They are not here for your discord account.
Let’s click on the
Okay so when we look at the URL, it’s actually a valid steam URL. But do not let your guards down again! Do not fill anything!
I tried to move the window outside my main browser and I couldn’t! Aha! This is the case of an iframe!
For those who are not familiar with iframes. An inline frame is used to embed another document within the current HTML document.
Let’s take a look at the source code.
<iframe class=window-body-data-1> src="/1ksmkjskjskj[REDACTED]">
The source of the iframe is not actually Steam! But from some document that is impersonating to be Steam! What they did basically is make a document that looks exactly look like Steam and made it an iframe.
One way to test for an iframe is to try to drag it out of your browser, if you cannot drag it out, it is an iframe!
Now let’s inspect the certificates.
Take notice of who issued the certificate. It was Cloudflare
R3? The issuer of the certificate was Let’s Encrypt.
Let’s Encrypt is basically a free certificate issuer for those who want their site to be secured with HTTPS. So whenever it’s free, anybody can use it for anything.
So the bad actor used a certificate to make it less dodgy, since you know we’re thought to click on websites with HTTPS since we know it’s encrypted.
My advice for safety on the internet is always check your URLs and be careful out there. Bad guys are always finding a way to win.