Comment from OpenText Security Solutions - Is this you in this explicit snap? No, it’s just Discord phishing
Cybercriminals are taking an old trick to newer places: Twitter and Discord. Users of both platforms have been warned to be on the lookout for direct messages warning them that their account had been flagged for bad behaviour. In both cases of Twitter and Discord, X-rated photographs have been uploaded to chat servers dedicated to shaming people. In both instances, the scam is designed to harvest credentials by tricking marks into logging in to what they think is Twitter or Discord to resolve the issue. The crooks then use the login details to compromise those accounts and contact others. The Commentary from Matt Aldridge, Principal Solutions Consultant at OpenText Security Solutions:
“This is an example of “old phishers learning new tricks”. When you receive a DM within a service, there is a sense of community or legitimacy that comes with it, which gives the attackers a better chance of catching their target off guard. It is therefore crucial that all online activities are scrutinised by users, not just the more typical attack vectors such as email.
Whenever you are presented with something giving you pressure of time or indicating that you may lose access to something of value, always pause and check via an independent means whether this insinuation could be correct or if it is simply trying to trick you. Be sure that you control who is able to send you direct messages, and that any other security features are enabled, such as multi-factor authentication. Usual best practice applies too in terms of never reusing a password between platforms, and always using a password manager to generate and store secure passwords.
Sadly, the tools and techniques used by attackers never weaken, they only grow stronger, so this growth in phishing attacks across multiple services isn’t surprising. It is also a big problem for SMS messages and other forms of IM/DM. As industry specialists, we are working with various key vendors to help them build better phishing protection into their products and services – this will eventually provide much broader and deeper protection for users, but as with all of cybersecurity, this is an arms race and there is sadly no end to criminal misuse of online services in sight.
For organisations, ensure that you are regularly training your users so that they are aware of new attack techniques such as this. By protecting your staff in their personal lives as well as in their work, you will gain much stronger and more capable assets for your organisation. Back up such security awareness training with regular phishing simulations, to ensure that the messages are truly hitting home.”