Jump to content

An announcement on the recent scam activity on the DU Discord.


DarkHorizon

Recommended Posts

Hey everybody,


We've been getting increasing reports of non-game-related scams through the DU Discord server. While in-game scamming is permissible (here's looking at you people putting requests and buying ore at 0.1h/L) these types of scams are not. 


The two we’re seeing most frequently on the DU Discord and Discord in general are along the lines of:


"I accidentally reported your Steam account"
"Straight to the point--NO BS" with Wall Street War


At almost 2000 words, I’m told this is a fairly lengthy post so I’ll split it into two parts. The first will have to do with what these scams are, and how to deal with them. The second part will feature some of my own tips and advice to improve your account security and general account security on the web. Part One, Part Two.

 

TLDR at the end for those of you that need it. Let’s get to it!

 

 

Part One: The Scams

The steam account scam is the most concerning so I'll touch on this first.


It starts with someone asking if a Steam profile is yours, usually because you have your Steam profile linked in your Discord profile. If you confirm it, then they'll say that they accidentally reported your Steam profile for illegal purchases and that your account will be suspended if no action is taken. They'll then try and connect you with a "support agent" to resolve the issue and clear your name. Seems innocent enough, but hang with me.


The "support agent" will ask you to log out of your account everywhere so they can run a "validation" process that would be supposedly interrupted by a login. They’ll then ask you for your login details as a part of the verification process. This should be the first red flag.


If you have Steam Guard enabled as your 2FA option, they’ll mention that your phone should have sent you a notification just now, and to provide them with that code. This should be a second red flag and tantamount to a bat light up in the sky.


Since most of us have a purchase history associated with our account, an excuse will usually be given about the above "validation" exposing errors due to “black-market purchases with stolen accounts”. You'll be asked to purchase crypto and send it to their wallet as proof that you're the cardholder. This should be the third red flag, but by now your steam account is already compromised since you provided your login details and 2FA code.

 

With your account now up for ransom, they'll start asking for money to get it back and bring you through a whole long process to ‘unlock’ or ‘unblock’ your account. A way to unscrew yourself, notice how I’m saying ‘un-’ a lot?

 

However, the end result, is always the same, "a fool and his money are soon parted." In the particular instance that was brought to our attention, the individual’s bank intervened which left them out only $270 as opposed to the $1,000 that they were being lined up for.

 

For support-related things like Steam, Amazon, DU support tickets, etc, they'll all use some form of an official means of communication. Since DU makes a prime example, all support tickets are handled on their support website. If something like an email seems suspicious even though it looks official, don't hesitate to sign into your account and handle it on their website directly, email support scams happen too!

 

Additionally, support will never ask for your login details, and you should never ever-ever-ever-ever-ever give out your 2FA codes. Never, got it? I could say that until I'm blue in the face. If they needed to, I'd bet a ham sandwich with good mustard that an authentic support person would easily bypass that since they're already an employee of the company, verified and all. That, and they would never ask you to pay them since usually you'll just be banned anyways.

 

NQ threw in this extra bit but just so things are crystal clear: No support agent of any company (especially Steam) should ask you any login details. If a support agent does, it's obviously a scam or an agent breaking security protocol. In both cases NEVER gave such information. Support agents are not supposed to ask you any login details for the simple reason that they don't need to: if they are what they're pretending they are, they have other means to access your account for technical problems or punishment topics.

 

These are malicious because these types of scams depend on our anxieties. Naturally, no one wants to be in trouble and it’s something commonly pulled on senior citizens as they’re usually an easier target since we’re still at the start of the digital age and computers weren’t something they grew up with. Have your grandparents console with other trusted persons if something seems fishy.

 

A final red flag and something I’m hesitant to get into because it involves stereotyping, but folks that pull these kinds of scams in my experience don’t often have the best English skills, and it’s pretty easy to tell that they are non-native speakers since they come from a very particular part of the world. I’m not going to spotlight any group in particular, but Steam would never ask for you to share your screen, make a crypto transaction, or inquire about your banking details. And I’m equally sure that a prince in some distant land wouldn’t transfer you a great sum of his wealth to help him with some health expenses. Yes, they have a solid grip and can hold an understandable conversation, but it’s not as fluid as more experienced speakers like with NovaQuarks support for example.

 

I’m not saying that everyone offering some form of tech support is out to get you, especially if you are aware of a real problem, tech support is an easily outsourced job and I’m sure at some point you’ve experienced robots and automated machines in these roles already. No doubt many non-native speakers have excellent skills as I'm sure many have shown on these very forums, but again my personal experience has dictated that more often than not, a weak grasp of English should serve as caution in these types of situations.

 

 

 

Finally, someone or multiple someones has been making alternate accounts, pushing a 'no bs' crypto server very aggressively. Not only does this break the unsolicited advertising policy, but you're potentially pushing away people from the idea of crypto which hurts the whole thing in general.

 

Us moderators and NQ discussed briefly boosting the server moderation level from high (server member for 10m) to maximum (verified phone linked to the account) but this was seen as too extreme. For now, if you get one of these messages, send a link to the message (‘copy message link’ in the right-click menu) and a screenshot to the mods via ModMail and we’ll take care of them. NovaQuark is attempting to work with Discord on this issue and those DM links are needed as a part of Discords investigations. Links are no longer required, scroll down a bit for further guidance.

 

When I started writing, ten separate accounts were banned, plus one more while I wrote, for their “no-bs” activity. Since then another 9 have fallen between NQ reviewing and approving this and my own goings-on getting in the way. They’re persistent, these lads, but rest assured they’re not as persistent as a dragon, or my fellow moderators on the community discord team! While I've taken a step back for some Halo in the past week, I'm looking at 11 modmails that I haven't read yet that I suspect run along similar lines... Yes, a potential 30 accounts.

 

Not much to say here since they're just pushing a discord invite and its nothing more malicious in general chat. Just letting you guys know that we’re aware of these events, along with what actions to take, so I'll leave it at that.

 

 

Update 7/22: NQ has advised me that since Discord is not taking action, that all logging on Wall Street War has ended. Please send further incidents to Discords Trust and Safety team as this falls under the Self-botting category of spam.
https://support.discord.com/hc/en-us/requests/new?ticket_form_id=360000029731

 

 

 

Part Two: Security


Strong passwords, you knew this was coming right? "Blaarg I can't reeeee-member", enough with the excuses. There are plenty of solutions out there that allow you to create long, complex, and secure passwords that you don't have to remember or type in manually. In years past I used and recommended LastPass but they had to go and ruin a good thing and separate computers and mobile devices for free account holders. If you can afford their $3/month premium plan, I'd still recommend them since they're very well known and have a lot of great features, but I'm cheap so I dropped them. With the hundreds of online accounts some of us might have, my replacement is Zoho Vault. For all my uses, it has the features I require on both desktop and mobile devices in the form of autofill and password generation.

 

If sticking all your passwords in some online database sounds like a bad idea, there are also solutions for building and managing your own homebrewed vault, just be sure to stick it somewhere greedy little hands and pets can't find it. If the hamsters aren't running on their wheels, they're destroying your hardware.

 

2 Factor Authentication, if it’s an option, use it. It will take a little bit longer to log in since it’s an extra step, but it can make a lot of difference if your username and password are compromised. Is it foolproof, no. Is something better than nothing, absolutely. Setting up 2FA is easy, just find a specific app for it, scan a QR code, verify it by entering the string of numbers (usually six but I've encountered no more than nine), then once it’s confirmed, you're all set up. Now after you enter your username and password, you'll need to check the app you downloaded and enter in that string of numbers before the timer expires to fully log in.

 

While the extra security is great, it comes with some extra caveats:


An online database can be breached. The database can fail and the data become lost. Your master password can be breached or forgotten.
Your hardware can be stolen, misplaced, lost, or even destroyed. If you read this far, you get a cookie.
You can forget to transfer your 2FA app data to your new phone before deleting your old phone’s data.

 

Should any of that happen, you can be well and truly screwed, especially when you're excited about getting a new phone like I was a few years back. At least if you mess up, you know your accounts are still protected, it's just a big time kill resetting everything. Don't let that scare you though, better to be safe than sorry with your account partly out of your hands because you forgot your strong password, versus in someone elses hands entirely.

 

Above all, use common sense. It's in pretty short supply these days but I'm sure you can activate enough neurons to tell the difference between your coworker’s email that comes from a familiar email (or physical) address versus something about some guys relative in the hospital and he needs $500 for the bills and wants you to wire them money and... oh hey, is that gold? OwO

 

This isn't a defacto guide, just some easy things you can do right now to get started and have an immediate impact on your online security. There's a lot more reading and videos (even physical hardware you can purchase) out on the internet if you care to look which I would encourage you to do.

 

 

 

Again, if you get a message from anyone using either of these methods of unsolicited advertising or anything else, be it related to Dual Universe or not, please send them to us community mods via Modmail (works just like sending a DM to anyone else) and we'll handle things.

 

 

 

TLDR: Firstly, the Discord community mods are aware of the scammers going around. Send us a modmail with a screenshot and we'll handle things.
Secondly; password hygine, 2FA, if it looks sketchy it probably is.

 

That's all I wanted to say, thanks for reading.

Edited by DarkHorizon
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...