IOK Rules: target.discord

Discord/Steam Phishing Kit 0BFMGg

Detects a phishing kit impersonating Discord and targeting Steam with a fake popup that opens when the "Get Nitro" button is clicked. The site promises to give you a free Discord Nitro subscription. This phishing kit has been discovered by the FishFish.gg team.

Discord Hypesquad Phishing Kit 9e6c4a9

Discord Hypesquad phishing kit containing a comment left behind by the supposed developer of the kit. As well as a unique nonce value that is present.

Discord Nitro Phishing Kit 7a09ee6

Discord Nitro phishing kit containing a reused image asset.

Discord Phishing Kit 4EK3uS

Detects a phishing kit targeting Discord and Steam by promising a Free Discord Nitro subscription.

Discord oAuth2 Scam u8eviyps

Detects a Discord oAuth2 scam confirmation page, which is often used in combination with social engineering to get the user to authorize for a spam application. This for example enables the attacker to add the victims into further scam/advertised servers using the `guilds.join` scope.

Bookmark Grabber bf623f6

Detects a phishing page that leverages the Dyno discord bot as a lure to install a malicious browser bookmark to steal the victim's Discord token.

Steam Phishing Kit jIwQMP

Detects a phishing kit impersonating Discord and targeting Steam users with a fake popup that opens when the "Get Nitro" button is clicked. The site promises to give you a free Discord Nitro subscription upon entering your Steam credentials. This phishing kit has been discovered by the FishFish.gg team.

Discord Phishing Kit ee3f9f72

Detects a `Discord` phishing kit targeting Discord users. This kit proxies all requests made by the original Discord website to the domain the kit is running on.

Discord Phishing Kit 664a17b

Discord phishing kit that uses a external application invite as a lure, as well as the real DiscordServer discord bot logo to make it seem legitmate. Once the user clicks the button labelled authorize it will open a pop-up window mimicking the Discord login page pretty poorly. This rule uses the fact that the same CSS file name is used across all domains that use this kit.