A new Discord phishing scam offers a free Nitro membership if a victim attaches their Steam profile, which the cybercriminals then exploit to steal game stuff or promote other frauds.
The phishing scam is being carried out by a large number of Discord accounts managed by threat actors or as automated bots that give other users links to what is ostensibly a guide on how to get free Discord Nitro.
“See, here’s free nitro for a month, just link your Steam account and enjoy,” the phishing emails sent to Discord members stated.
While this appears to be a promotional effort (apart from the grammar), the links direct users to a phishing site disguised as a real Discord page touting the Nitro function.
When you click the “Get Nitro” button, a phony Steam login form appears that looks nearly comparable to the actual one.
In actuality, the pop-up opens a new window immediately on the phishing website, and any Steam credentials provided are transferred directly to the scammer’s server.
When users try to log in, they are presented with an error message that says, “The account name or password that you have given is invalid,” prompting them to log in again.
This technique of double-verification assures that no typing errors occurred throughout the phishing procedure and that the stolen details are valid.
Nitro As A Bait
Discord Nitro is a premium membership option on the famous VoIP and instant messaging network that includes plenty of desirable account customization, content sharing, and server boost advantages.
Nitro has become so popular that malware variants have been disseminated using the same hook, and ransomware gangs have asked for Nitro gift vouchers in exchange for a functioning decryptor.
Threat actors utilized a “free game” as bait in that scam to present users with a bogus Steam single sign-on page.
Similarly, phishing lures are always evolving, with new lures designed to entice gamers with the promise of something for free.
That being said, users should be wary of any messages offering to give something for free if they click on a URL when using Discord.