Malware and PUP Disguised as Twitch Bombing Tools

What is Twitch?

Twitch is primarily a site dedicated to live streaming content. It also offers the ability to chat with others in the Stream you happen to be in via text. The primary draw of Twitch streams is video games and e-sports, leading to the rise of many big name streamers and content creators.

Is Twitch just for gaming?

In addition to gaming streams, Twitch also offers user generated content on a wide variety of themes and subjects. Everything from watching somebody sleep, or musical events, to walking around the streets of Japan shopping for clothes is available.

What age is Twitch for?

Statistics show a heavy leaning towards younger age ranges, with 41% of them in the 16-24 bracket and 32% in the 25-34 demographic. The proliferation of younger users makes it an appealing target for scammers.

Is it free? What is Twitch Prime?

The default Twitch experience is free to use. You can open up the Twitch website or download the app and start watching content right away. There’s no payment required to do this. However, Twitch does have paid options in the form of subscriptions, and also Prime Gaming (often referred to as “Twitch Prime”). Being a subscriber supports specific channels and also adds functionality for the user, such as emotes. Paid features and services make Twitch accounts an attractive proposition for scammers.

What are the dangers of Twitch?

It’s a variety of malware, phish pages, and social engineering.

  1. Fake spam blogs, which may or may not claim to be official Twitch sources, offer up some kind of “fix”. It could be related to stream quality, or audio, or broken emotes (for example). In one case, we found malware served up as an “audio fix”. This file actually steals the streamer’s Stream Key and gives it to the malware author. From there, they’re able to take control of the Stream and send out whatever they want to their audience, as well as change the channel name.
  2. Bogus video plugins are also a popular way of tricking people into running files that are not necessary to use Twitch. We found an imitation Twitch site offering up a “video player plugin” required to stream the site’s content. In actuality, the file is an installer manager which we detect as a PUP (Potentially Unwanted Program). The program offers a variety of installs, and also opens a streaming site unrelated to Twitch. Though listed as “free”, often these types of site require a paid monthly subscription to view the content – only registering on the site is “free”.
  3. Fake “bombing” tools. Twitch bombing is where bots jump into someone’s channel and entice viewers away to another stream. This is a bad enough thing to happen, but the waters are muddied further when you discover fake tools claiming to help you “bomb” are actually just Trojans or other forms of PUP.
  4. Discord/Twitch crossovers. We often see bots in Discord channels, claiming to be from Twitch bearing free gifts. These generally direct potential victims to phishing pages hunting for Discord credentials.

Has Twitch ever been compromised?

Yes. Data was exposed to the internet after a server configuration change. This alteration was taken advantage of by a third party. Although no payment or address data was found to be leaked, a number of security practices were advised in any case. The data was classed as “Part 1”, leading some to suspect a second data dump containing said payment or address data. At time of writing, no such data has materialised. Users of Twitch should be on their guard for any kind of scam or social engineering regardless. We’re too close to the incident to know for sure if everything is now back to normal. As far as regular Twitch use goes, however, you’re almost certainly good to go.

Is Twitch safe?

A lot of the tricks above are used on many other websites whether related to gaming or not. If you make use of Twitch security settings, and keep up to date with the latest security happenings along the way, in theory you should be fine.

There’s always the possibility of a service being compromised, and as we’ve seen, this happened to Twitch itself not long ago. However, this kind of attack is out of your hands. Keep things locked down, make use of 2FA, and steer clear of the “something for nothing” scams. Nobody can possibly fault you for doing the very best you can to keep your account and Twitch itself safe from harm.