So, the @UglybrosNFT Discord server was breached this morning at about 2 AM EDT.
Here's a post-mortem on what happened š§µ
Here's a post-mortem on what happened š§µ
Important Note:
The Discord has been secured. Serge and his team were amazing and did all the right things to recover their Discord, I helped out a little where they needed it, but they did it mostly on their own. š to them for handling with such professionalism
The Discord has been secured. Serge and his team were amazing and did all the right things to recover their Discord, I helped out a little where they needed it, but they did it mostly on their own. š to them for handling with such professionalism
Q: How does this happen?
A: Serge's Discord account was breached through a bookmark phishing attack. These attacks can steal your Discord token (essentially your discord "seed phrase") and log in without 2FA.
A: Serge's Discord account was breached through a bookmark phishing attack. These attacks can steal your Discord token (essentially your discord "seed phrase") and log in without 2FA.
Q: What is a bookmark phishing attack?
A: The attack tricks users into dragging something into their bookmarks on their browser. This bookmark executes some javascript code that steals your Discord token out of your browser's cache, giving themselves full access to your account.
A: The attack tricks users into dragging something into their bookmarks on their browser. This bookmark executes some javascript code that steals your Discord token out of your browser's cache, giving themselves full access to your account.
Q: Can you reset your token?
A: Yes! If you change your Discord password, your token will be regenerated, kicking any hackers out. You should regularly change your passwords to be safe.
A: Yes! If you change your Discord password, your token will be regenerated, kicking any hackers out. You should regularly change your passwords to be safe.
Q: What happened in the Discord?
A: The hacker went through a couple different steps. First, he banned all the mods so they couldn't try to prevent the breach and scams. Then, they changed permissions for all users and bots. They invited their own account and set up webhooks.
A: The hacker went through a couple different steps. First, he banned all the mods so they couldn't try to prevent the breach and scams. Then, they changed permissions for all users and bots. They invited their own account and set up webhooks.
This is the hacker's account. They have been flagged in SecurityBot already, but I am sharing here for more knowledge.
Their user ID is: 732142195749945385
Their user ID is: 732142195749945385
After gaining access, the account began posting in the announcements channel about a fake mint happening on $ETH. This link was a scam. If you authorized your ETH wallet with the contract associated with it, it would drain your wallet.
Remove authorization for the contract ASAP.
Remove authorization for the contract ASAP.
Q: What is a webhook?
A: A webhook is an API that allows one-way data-sharing. In Discord, it allows anyone with the URL to post messages in the associated channels, even if they don't have permissions themselves. All webhooks have been removed.
A: A webhook is an API that allows one-way data-sharing. In Discord, it allows anyone with the URL to post messages in the associated channels, even if they don't have permissions themselves. All webhooks have been removed.
SO IS THIS PREVENTABLE?
Yes. Phishing attacks are one of the hardest to stop (they seem innocent and they usually target overworked mods or staff members), but they can be prevented/mitigated. Below I will share a few steps that you can take RIGHT NOW to protect your community.
Yes. Phishing attacks are one of the hardest to stop (they seem innocent and they usually target overworked mods or staff members), but they can be prevented/mitigated. Below I will share a few steps that you can take RIGHT NOW to protect your community.
USE COLD ADMIN ACCOUNTS
A cold admin account is a discord account stored on an old phone or laptop that has admin rights in your Discord. They are only used to grant temporary permissions or make server changes. No "hot" (active) accounts should have admin permissions.
A cold admin account is a discord account stored on an old phone or laptop that has admin rights in your Discord. They are only used to grant temporary permissions or make server changes. No "hot" (active) accounts should have admin permissions.
BE EXTREMELY CAREFUL CLICKING LINKS
Obviously, be careful clicking links. You can't get nitro for free. NEVER drag anything to your bookmarks, Always triple check when entering account info.
Obviously, be careful clicking links. You can't get nitro for free. NEVER drag anything to your bookmarks, Always triple check when entering account info.
SECURITYBOT
@SecurityBotNFT can't stop phishing attacks, but it can help mitigate the damage! You can use the channel lock feature to lock your important channels with a secondary password, meaning that even if someone gained access to your account, they can't post announcements
@SecurityBotNFT can't stop phishing attacks, but it can help mitigate the damage! You can use the channel lock feature to lock your important channels with a secondary password, meaning that even if someone gained access to your account, they can't post announcements
ANTI-PHISHING CHROME EXTENSION
I have also created a #ProjectCatalyst proposal to try and fight against phishing attacks! I want to build a decentralized anti-phishing chrome extension to protect you while you browse web3.
Please check it out here: cardano.ideascale.com/c/idea/419660
I have also created a #ProjectCatalyst proposal to try and fight against phishing attacks! I want to build a decentralized anti-phishing chrome extension to protect you while you browse web3.
Please check it out here: cardano.ideascale.com/c/idea/419660
Congrats! You've made it pretty far in my wall of text.
I wanted to bury this because I'm worried about enabling more malicious actors, but the hacker used a publicly available tool on Discord to do most of the malicious work. I am reading the code to see if I can do anything.
I wanted to bury this because I'm worried about enabling more malicious actors, but the hacker used a publicly available tool on Discord to do most of the malicious work. I am reading the code to see if I can do anything.
If any devs out there would like to take a look at the tool to help fight against it, please let me know and I will share it with you.
I don't want to release it publicly here, because I don't want to give the tools to any would-be malicious actors.
I don't want to release it publicly here, because I don't want to give the tools to any would-be malicious actors.
š You've reached the end of the thread!
I will definitely be releasing more threads on how to secure yourself and your community in this crazy web3 world. Please let me know if you have any questions about anything in this thread. I am here to help.
Stay safe friends š
I will definitely be releasing more threads on how to secure yourself and your community in this crazy web3 world. Please let me know if you have any questions about anything in this thread. I am here to help.
Stay safe friends š
ā¢ ā¢ ā¢
Missing some Tweet in this thread? You can try to
force a refresh
ć
