This morning, after reading some conspiracy theory about Tucker Carlson at The New York Times on my phone, I hopped onto my desktop to start my day as a developer. To my surprise, a friend of mine who does not use Discord that often texted me. Curious, I go ahead and click on his avatar to see what he has to offer. This is how he goes:

test my first game pls :) https://githxub.com/ee/game/raw/main/SkyBlade pass: test

Feeling a bit paranoid at first, wondering why he would text me at 3AM, but shrugged off my suspicion after a bit of consideration. This friend of mine is also a software engineer, but is rather uninterested nor well-versed on the technologies. I recalled for being motivating him for putting more effort into development as it can pave a better path for him on his career later in life.

I came to think that maybe he is moved by my motivational advice and decided to develop a game out of it and thus I clicked on the link he sends without a second thought despite Discord constantly warns user to be wary of suspicious links when they try to open it.

To be honest, I felt that there is something inimical deep down about this message but couldn't tell which exactly...

After clicked on the link, it brought up my default browser immediately and initiated a file downloading process. It is a zip file that is protected by the password aforementioned. I browsed through the files within the zip as password is not required until we tries to open or extract the files from the zip.

The first thing I saw is this "start.exe" file, which is also the file that alarmed me that this is indeed a fishy situation. There are a few folders cointaining some image files, some html, css, javascript files and a few files with unrecognized file extensions. I closed the zip file immediately and texted my friend back, "are you real?"

My speculation turned out to be accurate as he was completely perplexed and had absolutely no clue or impression that he sent me this. I told him that he might got hacked and tell him to check whether did he send the same message to others as well. And he does. I panicked and shift-deleted the zip file right away after getting the confirmation response from him.

I saw that he also sent to the only common server that we are in the exact same message all over the channels too. Looks like he just broadcasted the message to all of his friends and the servers he joined. At that time, I know that his account was compromised and prompted him to change his password immediately.

Now to came to think of it, there are a few parts that just make no sense.

First of all is the trailing smiley face emoticon in the message. My friend just doesn't not use any of these ever in our conversation. Next, the message was sent during the ungodly hours of 3AM, which is unlikely to be sent by my friend as he is an early bird who sleeps early.

Besides, the link he provided points to "githxub.com" which is already a red flag that tries to resemble "github.com" and trick people into thinking that it is actually a legit website, which got me well. I tried to google on the incredibly suspicious domain and yes there are some reports that point the domain to be fraudulent that used for a variety of scam attacks. A scam report lodged by an internet user in scammer.info provided some screenshots and justification on the attack. Here is a Reddit post that discusses this "I've made a game" scam in detail.

To sum up, cyberattacks are omnipresent and it preys on the unwary users with the seemingly innocent and innocuous shape of form. For those who use Discord regularly needs to be extra cautious when it comes to DMs that contains links or web urls that you did not recognize, even with our closest friends too.