Hackers are hijacking expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware.
The campaign relies on a flaw in the Discord invitation system to leverage multi-stage infections that evade multiple antivirus engines.
"Reviving" expired Discord invites
Discord invite links are URLs that allow someone to join a specific Discord server. They contain an invite code, which is a unique identifier that grants access to a server and can be temporary, permanent, or custom - vanity links available to 'level 3' servers paying for special perks.
As part of the perks for level 3 Discord servers, administrators can create a personalized invite code. For regular servers, Discord generates random invite links automatically and the chance of one repeating itself is very low.
However, hackers noticed that when a level 3 server loses its boost status, the custom invite code becomes available and can be reclaimed by another server.
Researchers at cybersecurity company Check Point say that this is also true in the case of expired temporary invites or deleted permanent invitation links.
They say that "the mechanism for creating custom invite links surprisingly lets you reuse expired temporary invite codes, and, in some cases, deleted permanent invite codes."
Hijacking a temporary invite code (top) and reusing it in a vanity link (bottom)
Source: Check Point
... continue reading