Bitdefender Warns Discord Users of Rampant Malware

Why Trust Techopedia

  • Criminals are increasingly targeting Discord users with malware, phishing attacks, and scams.
  • Social engineering tactics are used to lure users into giving up personal information or clicking on malicious links.
  • Malware is often stored on trusted platforms like Discord.
  • As cybersecurity defenses improve, criminals are shifting to fileless malware and social engineering attacks.
  • Fileless malware and social engineering attacks are harder to detect and can be very harmful.

Social media and messaging apps are becoming the go-to vector of attack for scammers and cybercriminals. Popular platforms like Discord offer an attractive large user base, which criminals then leverage. Users also often blindly trust these platforms, thinking they are safe. But, this trust, in the hands of bad actors, is weaponized.

A new report reveals just how bad the situation is, with over 50,000 dangerous links that distributed malware, phishing campaigns, and scams detected in Discord in just six months.

Discord: A Battleground for Malware, Phishing, and Scams

On May 29, Bitdefender reported that Discord is ripe with criminal activity. Using Bitdefender’s Chat Protection technology, the company identified a shocking amount of malware, phishing campaigns, and scams.

The report found that malware and phishing combined totaled 39% of all detected malicious links. The scam of offering Discord Nitro, a paid premium subscription with many benefits for users, continues to spread on the platform. The most targeted country? The U.S., by a wide margin, with 16.2% of all the threats detected.

Most of the scams and attacks on Discord start with convincing victims that they can win prizes, be paid to test apps or video games, get a job in the industry, or gain access to unique crypto giveaways.

Those who fall for this initial lure end up in fake websites designed to steal their credentials. Crypto wallets are emptied, accounts are taken over, and sensitive and financial data is stolen

Anyone who has spent time in a crypto Discord will be aware of users posting links to “support tickets” or “connect your wallet for airdrops” to be lured into a convincing-looking decentralized application (dApp) which, once you connect your wallet, basically unlocks your house for criminals to come in and take all they need — usually everything.

As Bitdefender explains, the use of Discord as a platform for malware and scam campaigns has been a problem for many years, despite the platform and app developers’ efforts to mitigate the dangers as much as possible.

The big problem is the profile of users on the platform, which makes them an ideal target.

Of all messaging apps, Discord stands out both for popularity and for being at the epicenter of growing cybercriminal activity.

Discord’s top users include gamers, new technology testers, blockchain and crypto communities, and new AI app users such as MidJourney.

Companies working in these areas of business use Discord to communicate with their fanbase, engage with users for beta trails, promote their products, and offer giveaways.

This group of users — mostly teenagers and young adults — has earned a reputation for having low cybersecurity standards and digital risk-taking behaviors.

Discord’s Expiring Link Fix: A Step in the Right Direction, But Not Enough

Silviu Stahie, Security Analyst at Bitdefender told Techopedia that Discord is a massive platform with a huge reach, making it a popular target for criminals who want to spread malware, phishing, and other types of threats.

“For a long time, Discord servers have been used as a hosting service for malware and for command & control servers because it’s easier to sneak past filters and security if the files are hosted on trusted domains.”

Discord has made changes to combat the spread of malicious activity on its platforms. One of the most highlighted actions was making links for internally hosted files expire in 24 hours.

This feature’s main goal is to make it more difficult for bad actors to use the platform as a malware hosting service. However, this has not stopped malware distributors, scammers, or phishing attackers.

Beyond Illegal Hosting: The Rise of Trusted Platforms for Malware Distribution

One of the biggest challenges that cybercriminals have today is where to store their malware. While underground illegal hosting services exist and are used for attack campaigns, these do not offer HTML addresses that are known to users and can be unreliable. In contrast, known brands have robust infrastructure, and already have millions of users to target.

Illegal hosting services can also be potentially shut down by law enforcement or exposed by cybersecurity companies. In contrast, in trusted big tech platforms, cybercriminals can hide in a big crowd, and leverage continual provision of reliable hosting that cannot be frozen by authorities.

John Price, CEO of SubRosa, a cybersecurity and risk advisory firm based in Cleveland, Ohio, spoke to Techopedia about the complexities of storing malware in the modern world.

“Hosting malware is a significant challenge for cybercriminals because it requires reliable servers that are not easily traceable by law enforcement or security researchers.”

“Cybercriminals often opt to host malware on known platforms like Discord, Google Drive, or Dropbox because these services offer robust, reliable hosting with high uptime and fast access across the globe, which can help avoid the suspicion that obscure or illegal hosting might attract,” Price explained.

In October 2023, a Trend Micro investigation uncovered that criminals were leveraging Discord’s own content distribution network (CDN) to store malware. CDNs are small data centers that are strategically located closer to users to ensure fast delivery of communications, uploads, downloads, and content viewing.

Stahie from Bitdefender said they were aware that Discord had made changes due to the impacts of that campaign. “We wanted to know how the threats evolved after Discord made changes,” Stahie said.

“After Discord made changes, cybercriminals turned to other tactics. They still use the platform for phishing attacks and to spread Android-targeted malware.”

When Malware Hosting Gets Tough Criminals Shift Tactics

Tamar Cohen, Threat Researcher at Wing Security, explained that as malware hosting becomes more complicated for cybercriminals, they shift to different types of attacks to gain easier wins.

“A great example is the continued rise in social engineering attacks trying to hook users with special prizes tempting them to enter credentials in a fake login website,” Cohen said.

“Hackers are shifting from malware-based attacks realizing a lot of damage and profit can be done with credential theft. Compared to malware-hosting, hosting a simple fake login page can be easier and harder to detect than a malware-hosting server.”

Speaking about the CDN Discord investigation Cohen said that it outlines how hackers use Discord’s CDN to store malware and directly message victims, offering $10 or a Discord Nitro boost in exchange for help with a project.

“Bitdefender mentions that even when SaaS platforms try to eliminate malicious use, attacks based on human interaction (social engineering) can still be made.”

The Rise of Fileless Malware and Platform Manipulation

Price from SubRosa said that as cybersecurity defenses evolve, hosting or storing malware becomes increasingly complex, prompting cybercriminals to shift their tactics.

“For example, rather than directly hosting malware on a server they control, which can be shut down or traced back to them, attackers are increasingly turning to fileless malware techniques.”

Fileless attacks leverage legitimate system tools and processes to carry out malicious activities, thus leaving fewer footprints and evading traditional antivirus solutions that scan for files typically associated with malware.

“What is particularly shocking about the BitDefender report on Discord is the sophistication and scale of the misuse. Discord’s own CDN and API were manipulated to distribute malware, highlighting not just the creativity of threat actors in exploiting trusted services, but also the ongoing challenge for platforms to monitor and prevent such abuse.”

The ease with which attackers can blend malicious activities within legitimate network traffic on popular platforms raises significant concerns about user safety and data security across similar services.

The Bottom Line

Discord’s capabilities and features make it an amazing platform for building communities and connections.

Its capabilities and ease of use make it a one-stop shop for messaging, conversations, video chats, and gaming.

It is also a platform that is deeply important, with many specific interest groups within the larger community hosting their communications through a Discord server.

However, these features also play against Discord.

As Malachi Walker, security advisor at DomainTools explained to Techopedia:

“On the other side of the coin, the ease of use makes it an appealing spot for cybercriminals to store malware, share ideas — and build their own communities on a private Discord server as well.”

Related Terms

Related Article