The Discord QR Code Scam

Written on July 0th, 2022 • 2 min read

AAC3A3C1-1201-4388-A20E-117C1ADA1D7C.jpeg

It was a message from a friend of mine. Says I was creeping on a girl and wanted to check a channel called #drama. It didn’t match his linguistics so I wanted to check it out.

405B7323-6857-4275-B771-A2531436EA82.jpeg

A bot was here called “Wick”. It’s a clone of a real security bot called Wick (notice that there is no checkmark next to “BOT”)

Clicking verify gives you a QR code intended to be scanned in the mobile app. This is a real feature by Discord that allows you to scan a QR code when signing in to bypass 2fa. I use this feature all of the time because I don’t always have time to wait for a text

This is easily exploited by scammers

63EA7E7E-CC62-4D37-A263-85CF6EAE7974.jpeg

People will most likely think this is a legit oAuth screen because it’s in Discord’s app. It was only intended for YOU to login to Discord’s app, not someone else.

224B24C9-0357-4C00-AE8F-13CFAAF0217A.jpeg

A picture of the QR code that you are supposed to scan to “verify” to get into the server

This method bypasses 2fa so if you’re screwed either way

Aleski goes into more detail over on Drivet’s blog!

Also, if you’ve been hacked, you should go check out the nice people at Fight Against Scam

You can see the main site here.