It was a message from a friend of mine. Says I was creeping on a girl and wanted to check a channel called #drama. It didn’t match his linguistics so I wanted to check it out.
A bot was here called “Wick”. It’s a clone of a real security bot called Wick (notice that there is no checkmark next to “BOT”)
Clicking verify gives you a QR code intended to be scanned in the mobile app. This is a real feature by Discord that allows you to scan a QR code when signing in to bypass 2fa. I use this feature all of the time because I don’t always have time to wait for a text
This is easily exploited by scammers
People will most likely think this is a legit oAuth screen because it’s in Discord’s app. It was only intended for YOU to login to Discord’s app, not someone else.
A picture of the QR code that you are supposed to scan to “verify” to get into the server
This method bypasses 2fa so if you’re screwed either way.
There are various package/repos that allow a scammer to do this with ease. One gave a convient little script that can be easily modified to easily be used in mass to grab tokens and load them
Aleski goes into more detail over on Drivet’s blog!
Also, if you’ve been hacked, you should go check out the nice people at Fight Against Scam