Last week I nearly had my online accounts stolen. But thanks in part to the defenses of online services and my own security practices, in the end nothing was actually compromised. This was not a sophisticated attack, but it did alter the playbook of a standard attack vector.

Late Wednesday night, my high school friend messaged me on Discord:

Attacker: hi
Me: hi
Me: hru
Attacker: fine ig
Attacker: wbu?
Me: doin good
Me: its spring in nyc 🙂
Attacker: yes
Attacker: nice
Attacker: can i ask a quick favor if you dont mind
Me: shoot
Attacker: nowadays I made a project with my friend, 2d adventure one
Attacker: if you have time, would you like to give your pov?
Attacker: 2-3 mins
Me: gimme the game pitch!
Attacker: [URL]
Attacker: here
Attacker: check it

This exchange, over the course of five minutes, was not unusual. Their typing style was in-character. Everything seemed normal, even the URL: it was HTTPS, it was short and descriptive (not a link shortener or with a strange TLD), and it had an embedded description and image. It looked legit.

All the while this conversation was going on, I was actually playing with friends on VRChat, so I decided to check my friend’s game out later. I signed off right after midnight, done with my friends. I downloaded this “game” from the website.

The “game” came in a password-protected RAR file. Trying to extract it with Windows Explorer gave me Error: 0x8096002A: No error description available. Bizarre! Attempting to open it with 7zip required a password.

Me: it's uh...
[Screenshot of error message]
Me: consider a zip
Me: what on earth
[Screenshot of password prompt]

At this point I was slightly suspicious. Sending malicious executables over Discord DMs is a well-known attack vector, because it works to get people to download it. This differed because it was served on an external legitimate-looking website. Evolution, I guess.

Being careful, I checked the file on VirusTotal. Nothing detected. Seemed safe.

My friend didn’t immediately respond, so I headed off to bed. At this point the executable wasn’t extracted, and so nothing was run.

Not messaging me back was their, perhaps fatal, mistake. I was tired and in a more vulnerable state. Buuuut! I slept!

The next morning, I woke up to:

Attacker: yo
Me: What?
Me: I need a password to extract it
Attacker: download again
Attacker: new updates have arrived
Attacker: pw: beta

I extracted the file using the password, which was an installer executable. I installed it, ran it, and opened the “game”. Chrome crashed immediately, and Windows alerted me to the app adding itself to the startup items. Nothing else happened, so I re-opened Chrome and re-ran the “game”. Chrome crashed again.

I opened Task Manager to see what was up, and the “game” was still running. I went and pulled the installer and the “game” executable into VirusTotal. All checks cleared. Malwarebytes didn’t alert me to anything, which is concerning.

Not fully confident it was malicious, but still very suspicious, I messaged back.

Me: OK few questions
Me: why did it crash chrome
Me: why did it add itself as a startup item
Me: oh and why isnt it working

At this point, I had terminated the multiple instances of the “game” I opened, and removed it from my startup apps. (Sidenote: this is great that Windows tells you when an app does this. Adding your malicious executable to the computer’s startup is an excellent way to do repeated harm.)

I did some digging while waiting for a response. The images on the site? The paths of these images refer to a Steam game. There’s a Steam store page, but the URL doesn’t point to the URL I was given. Red flag.

Searching for the game doesn’t bring up that URL. Red flag.

I texted my friend asking about this “game”. They told me immediately that their account was hacked, to not open it, and to add their new Discord account as a friend.

My internal dialogue upon reading this: “🙄 ugh. Now I’m going to have to do effort.”

I replied that I indeed did open the file and ran it. They felt bad, but I reassured them that I had everything under control.

Attacker: bro
Attacker: i
Attacker: hacked
Attacker: you
Attacker: You want to make a deal?

They, in fact, did not hack me. But it was nice to get confirmation that it was malicious. I was confident nothing really serious happened. So, I bullshitted, feigned naive:

Me: Tell me what you have and I'll make a deal
Attacker: pay me
Attacker: 100 dollars
Attacker: If you pay the money, I'll delete the virus
Me: How do I pay
Me: Please get it off

The “virus”, in fact, was already deleted and not running.

Attacker: do you
Attacker: have
Attacker: cashapp
Me: I think
Me: What's the account name

I don’t think I have CashApp.

Attacker: [YouTube link]
Attacker: watch
Me: ugh you want bitcoin?
Me: but bitcoin is so environmentally disasterous

Knowing that my session tokens were stolen, I went through the arduous process of resetting my passwords, removing my Windows computer from logged-in sessions, etc. It wasn’t too bad, actually. Having a password manager is useful to expedite this process, which I did so on my laptop juuuust in case.

Google’s account page alerted me that someone from Turkey had tried to access my account, but was blocked. Because it was in Turkey. And I’m in New York.

Attacker: bro
Attacker: pay
Attacker: me
Me: ok but like
Me: what do you even have on my computer

All the while, I was more annoyed than being panicked. I knew that standard practice for online accounts is to invalidate all session tokens when a password change is made. I knew the attacker had nothing on me. They weren’t able to go far. I just wanted to glean more information about their operation.

They didn’t respond to my question, so I sent a GIF of Mr. Bean in a field of yellow flowers checking his watch and playing in the grass.

Me: so... I hear you're from Turkey

No response. Meanwhile I’m wrangling my accounts so the attacker couldn’t do shit. Get fucked.

Having 2FA and a password manager tightened my security. Please use an app-based 2FA code generator. My friend did not have 2FA enabled, which is how the attacker was able to get in to their account. (They also got attacked in the same manner as I did.)

My friend and I both fell for the same thing. I’m also vulnerable to these types of attacks. We all are.

Me: you're offline?

I never heard back. I resolved to keep checking my accounts for suspicious activity throughout the day. In the meantime, I went out to take some photos.