A dozen malicious PyPi packages have been discovered by researchers at Snyk installing malware that modify the Discord client to steal data from web browsers and Roblox.
- The popular online chat application, Discord, is also a target. The malware exfiltrates Discord tokens and injects a persistent malicious agent in the process. This malicious code, known as Discord Injector, can relay an alarming amount of information to the attacker. Not only will it share your credentials, but it can also skim your credit card information if you input it after the injector is loaded.
The packages pretend to be Roblox tools such as thread management and basic hacking modules but in fact simply install password-stealing malware on developers’ devices.
Roblox is an online gaming platform where users go to play games or create their own gaming programs. It is highly popular among children, for according to their user base, 67% of Roblox users are under the age of 16. Contrary to common belief, Roblox is not a game in itself, but is a community of users who share their programs, provide commentary, and sometimes, exchange dangerous executables. Roblox goes in tandem with Discord; an instant messaging and social chatroom platform.
It is common for Roblox players to go on Discord and join servers to have conversations with friends and other Roblox enthusiasts. On their website, Discord describes itself as a “second home” for Roblox gamers, but after the discovery of 12 malicious packages being downloaded on the platform, it has become a highly perilous place for gamer-safety. Running such executables without an interpreter is a big red-flag.
When an interpreter runs into an issue while running the code, it will notify the computer with an error message, allowing for easier debugging compared to compiled python code. However, no interpreter is a match for this certain type of PyPi malware, which was able to steal multiple user credentials and payment info. The malicious packages were able to get past Discord’s anti-virus scanner, as well as avoid detection on Windows machines.
Obviously, Roblox and Discord need to do more to protect the majority of young users on their platforms. Updates to Discord’s virus scanner (which scans documents for malware before they are uploaded to servers) are in the process of being performed, but many other additions must be made to ramp up Discord’s security. Most concerns center on the platform’s procedures to protect user privacy, in which many Discorders find their data being collected by anonymous APIs.
Discord’s system-wide push-to-talk mechanisms, which are good for allowing immediate communication, sometimes allow user keystrokes to be collected from any application despite being non-permitted by users. Disastrous!Roblox players have much to worry about while using “Discord, for many gamers have fallen victim to malicious web hooks (automated callback messages altering website behavior), ransomware attacks, and other schemes targeting common player interest.
Perhaps owing to these attacks, Roblox does little to warn their users about the dangers of clicking on malicious links within their platform, which sometimes lead to a malevolent Discord server or external backwater website. According to their user privacy policy, Roblox currently employs chat filtering to prevent inappropriate content being seen by users under 12 years old, but this does not apply to blocking users with a record of posting suspicious content (bad links or downloads) on the platform.
The only other security restrictions that parents may choose to employ are limited to restricting a few gaming experiences for their child, implementing a parent-accessible PIN, and 2-step verification. None of this, as mentioned, is effective for preventing child-targeted malware.
While no download coming from an open-source chatroom should be entirely trusted, Roblox and Discord offer an environment of false-comfort for users to feel safe while clicking on any link. In consideration of the fact that the majority of Roblox and Discord’s users are children, they will not necessarily know better to avoid the shady content being posted.
Regarding the recent rise of social media and other gaming use among younger age groups, this point is easily applied. Overall, the amount of trust circulating between children and strange, anonymous (and potentially dangerous) user accounts has become an even greater challenge to manage.
In light of this fact, since executable malware will continue to evolve and prey upon those who are ill-equipped to consider its consequences, it is not just up to Discord and Roblox to protect users; users need to protect themselves.
Mature and full-grown adults still fall victim to malware every day, and while more education and awareness is needed for such age groups, the younger ones are also in dire need of security lessons. Usually, teaching kids about the dangers of the Internet has been left up to parents, but schools could also contribute in training students to have a savvy security mindset. These skills, geared at children, should include teaching how to differentiate between official and unofficial websites, checking sources and anonymous accounts for legitimacy, recognizing scams, and avoiding clicking on unverified attachments or executables.
Educating children about the dangers of their account or payment information being compromised is an important lesson that they should be aware of, especially with how much more time they spend gaming than other focus groups. It is therefore a priority to ensure that they are not naive in the ways of cybersecurity, that they are developing a mature security mindset and practicing strong security hygiene while being constantly on the lookout to protect themselves, their friends, and their beloved communities from cybercriminals.