Information (moral: prevent CSRF on login endpoint):
Well, it looks like we made a right mockery out of Discord and its idiotic users... How stupid do you have to be to fall for an obvious phishing website in 2019?
This was no virus, worm or malware of any sort - it was simple old phishing site that utilized Discord's own moronic API to hijack these accounts. I hope this was a lesson for all of you folks...
How did it work, and how Discord should've responded:
In simple terms, all requests were proxied to Discord's own site, and then obfuscated JS was injected into the response. This JS took over the login form, and submitted its own API call to the login endpoint (to bypass Discord's IP detection), and the response was sent back to our server (including the session token used for valid API calls).
We then had an automated bot change the email and password of these accounts using Discord's own well-documented API endpoint, which simply required the aforementioned session token. This API call then provided us with a new session token, which we could later use to send out the phishing link via DMs.
Discord decided to block our server's IP address from accessing their site, which stopped us for a good 10 minutes before we realised and proxied these requests via another server. Instead, Discord should've prevented CSRF on the API login endpoint, which would've stopped us in our tracks.
What did we collect:
As you can guess, many people tried to submit fake logins, over 200,000 of them. These were quickly filtered through, due to these not being proxied, or invalid tokens were being submitted.All in all, a modest 2,522 valid logins were collected and 949 of them were then hijacked, and here's the dump: