SOCRadar® Cyber Intelligence Inc. | Discord: The New Playground for Cybercriminals
Home

Resources

Blog
May 29, 2023
8 Mins Read

Discord: The New Playground for Cybercriminals

Discord has rapidly grown in popularity as a communication platform in recent years, serving as a virtual gathering place for online communities, gamers, and businesses, with almost 200 million active users and nearly half a billion registered accounts in 2023. However, this open platform has attracted the attention of cybercriminals, who see it as an ideal environment for their malicious activities. Discord provides numerous features that criminals can exploit to carry out various cyberattacks, such as phishing, malware distribution, and social engineering. The anonymity and lack of regulation on Discord also make it a perfect space for criminals to operate and communicate with other like-minded individuals.

The Attack Surface

Discord’s features have made it an ideal environment for cybercriminals to carry out various attacks. The platform’s file-sharing capabilities, voice and video chat options, and integrations with other apps create an attack surface that threat actors can exploit.

Phishing and Social Engineering

One of the most common types of attacks carried out on Discord is phishing. Cybercriminals use phishing attacks to trick users into providing sensitive information, such as login credentials, by impersonating trusted individuals or creating fake accounts. Discord’s chat and direct messaging features make it easy for attackers to impersonate someone with social engineering tactics or even with the help of AI-generated voices and send messages to users to lure them into providing sensitive information. Like in hacked social media accounts, a user’s account may be used for phishing by impersonating the hacked person is also very common in Discord too. Fake Discord system messages or automatic bot messages that seem legitimate are also widely used for phishing. Moreover, if the necessary adjustments are not made, mass phishing attempts can be made by reaching you through public servers without needing an email and/or an email list.

discord phishing tool
Many automated phishing tools are also available on GitHub, worsening the situation.

Malware Distribution and C2

Another type of attack that can be launched through Discord is malware distribution. Attackers can use the platform’s file-sharing capabilities to send malicious files to users, infecting their systems when downloaded. Cybercriminals can also distribute malware through links to malicious websites in messages or direct messages.

A Discord multi-tool kit for sale.
A Discord multi-tool kit for sale.

Security researchers have also observed RATs and malware toolkits where Discord is used as C2 (Command & Control). The API of Discord provides a direct channel for users to communicate and exchange messages and files with external programs. Unfortunately, this feature also creates an easy avenue for C2 communication, which can be challenging to detect and prevent. The difficulty arises from the fact that C2 communication utilizes a single endpoint that can be easily disguised as a legitimate service. Additionally, using HTTPS to secure communication further complicates the identification of malicious traffic, making it a complex task to differentiate between benign and malicious API calls.

Furthermore, Discord is also a suitable platform for hosting malware because Discord stores the attachments in cloud storage and becomes accessible from anywhere via a shared link web URL. 

An example of an access link: https://cdn.discordapp.com/attachments/../../..

Webhooks and Bots

Yet, Discord’s integration with other apps may create a potential attack surface that cybercriminals can exploit in many different ways. Attackers can use these integrations to distribute malware or launch phishing attacks through third-party apps connected to Discord, mostly in the form of webhooks and bots.

Discord introduced a relatively new feature in 2020 known as webhooks, which malicious actors have unfortunately exploited. With this feature, server owners can easily create a webhook for any channel they own and send messages to that channel through a simple HTTPS request. Initially intended for notifying users of specific actions, such as a new git pull request, attackers have discovered a way to exfiltrate data from their victims using this feature.

discord webhooks
Many webhook using malicious repositories are available to the public.

While webhooks can be helpful in safe and quick notifications, protecting against misuse can be challenging. This is because all requests are sent to the same domain, and the content is protected by HTTPS, making monitoring and blocking a complex task. 

An example of webhook URL: https://discord.com/api/webhooks/../

A Dark Web Market

Although it does not create an attack surface, other criminal uses that may lead to further incidents have been observed in selling many illegal products and services, like in Telegram and Dark Web Forums/Markets, or as a platform for scams and frauds. Additionally, many cracking/piracy communities that can be accessed from the surface web are also utilizing Discord.

Dark Web vendors advertising their business on a Discord server. (Spycloud)
Dark Web vendors advertising their business on a Discord server. (Source: Spycloud)

How to Stay Safe?

There are a few short steps for personal account safety. The most crucial factor to be considered as a user is to be alert to phishing attacks. You can access Discord’s blog post against scams here

A popular method is mimicking the system messages and redirecting victims to malicious websites. 

Again, as a precaution, turning on the spam filter, which is only open to non-friends by default, for all messages will increase your security.

Spam filter on default.

It is also an important security measure to use the 2FA (Two Factor Authentication) feature on Discord, as it should be on every platform. You can also check the systems connected to your account and the bots on your servers in the Discord settings.

Two-Factor Authentication is not enabled by default.

In a business setting, there are other things to consider:

  1. Block Discord unless there is a business justification: Given the high degree of exploitability, it is best to avoid using Discord as a communication platform in an organizational environment unless there is a business justification. Blocking Discord can prevent unauthorized access to the organization’s network and sensitive data.
  2. User training/awareness: When using Discord as a collaboration tool, raising awareness about potential cyberattacks linked to Discord is critical. Users should be aware of how to use the platform safely and recognize possible attack types to avoid system compromise. Providing regular training and awareness programs to users can significantly reduce the risk of falling victim to malicious activities on Discord.
  3. Download files from trustworthy sources only: To prevent malware installation, users should only download files from reliable sources. It’s essential to verify the legitimacy of the source before opening email attachments, URLs linked to Discord, or uploaded files in the Discord channel.
  4. Use antivirus software: Using up-to-date antivirus software can significantly reduce the risk of falling victim to malicious activities on Discord and other online platforms. It can help prevent malware installation by proactively blocking suspicious downloads and detecting and removing malicious files on your computer.

Summary

In conclusion, Discord has become a trendy communication platform and a breeding ground for cybercriminals to carry out various malicious activities. Discord’s various features, such as file-sharing capabilities, voice and video chat options, and integrations with other apps, provide cybercriminals with an attack surface to exploit. They use phishing attacks to trick users into providing sensitive information, distribute malware through links and files, and use webhooks and bots for exfiltration and fraud. Discord’s anonymity and lack of regulation make it difficult to detect these activities, making it an ideal environment for criminals to operate. As users, it is essential to be vigilant of such threats and take necessary precautions to stay safe online. While there are several measures that one can take to ensure personal account safety, businesses need to have strict policies in place when it comes to using Discord as a communication platform.

Example SOCRadar alert on data leaked via Discord.
Example SOCRadar alert on data leaked via Discord.

SOCRadar scans the entire web within the Cyber Threat Intelligence service, detects leaks on the dark web and all similar platforms, and sends alerts to its users. Moreover, within Vulnerability Intelligence, it can also report vulnerabilities that have emerged on applications you use, such as Discord. In this way, SOCRadar users may be knowledgeable about Discord vulnerabilities, follow new TTPs regardless of the attack vector, know related leaks on Discord markets, and provide total coverage to their security.