This Steam phish baits you with free Discord Nitro

This Steam phish baits you with free Discord Nitro

Weeks ago, we talked about the one effective lure that could get a Discord user to consider clicking on a scam link they were generously given, either by a random user or a legitimate contact who also happened to have fallen for the same ploy: free Discord Nitro subscriptions.

And similar to how scammers repeatedly prey on Discord users, they also prey on Steam users (Remember that “I accidentally reported you” scam?).

There’s novelty, however, in scammers preying on both at the same time. It’s not something you normally come across every day.

This Discord scam is not after your Discord credentials

There’s a fresh, active scam circulating in Discord right now that is propagated by either bot accounts or accounts controlled by scammers. Below is a sample screenshot of what you might find sitting in your direct messages:

See, here free nitro for 1 month, just link your Steam account and enjoy –
{partially redacted URL}

Once Discord users click the link, they are directed to a website that was made to look and feel like a legitimate Discord page.

Clicking the “Get Nitro” button opens something that deceptively resembles a Steam pop-up, when in fact, it’s actually not a separate window but a part of the website itself.

This tactic is similar to that used by fraudsters about two years ago, described here by Reddit user /Bangaladore. In the post, he describes in detail how he (or his friend) found out that the pop-up is actually not a pop-up: “If you try to drag the window off of the parent chrome window, what happens? You can’t. It just stops at the edge. If you scroll up and down on the original page, the Steam sign in the [sic] window goes with it. A normal pop up does not act like this.”

As you can see above, this particular pop-up had a bit of a problem loading the elements, thus the borked look. But we’d like to point out that, while the websites we visited and analyzed related to this scam use the same interface, there are just times when the code breaks and the spoofed URL in the fake address bar doesn’t show as it should. Here’s a better example from a related scam website that perfectly loaded up everything:

When Discord users key in their Steam credentials in the fake pop-up, it will show them the error message saying “The account name or password that you have entered is incorrect”. Behind the scenes, though, their Steam credentials have already been stored into the scam website.

Below is a clip of the scam in action (Kudos to Stefan Dasic who analyzed the URLs and recorded this clip):

Malwarebytes already blocks 195[dot]133[dot]16[dot]40, the IP of this scam. We also found more than a hundred other scammy domains sitting on this IP. Here’s a sampling: 

Stay safe out there! And please don’t just click links that come out of the blue.


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.