|
2 | 2 | #import "/utils/helpers.typ" as utils |
3 | 3 |
|
4 | 4 | #let args = ( |
5 | | - title: "beyond text ", |
6 | | - date: "2025-11-07", |
| 5 | + title: "the accounts", |
| 6 | + date: "2026-02-15", |
7 | 7 | author: "amy erskine", |
8 | | - summary: [using images to scam people], |
| 8 | + summary: [some analysis of the accounts posting scams], |
9 | 9 | tags: ("moderation",), |
10 | 10 | ) |
11 | 11 |
|
12 | 12 | #show: post.with(..args) |
13 | 13 |
|
14 | | -Welcome back for the 3rd post in #link("/tags/moderation/")[this series] in which we will now explore a new threat. Images. |
| 14 | +After having a look at the #link("/posts/moderation/the-infra")[the infra] behind these scams, let's now do some investigation on the accounts themselves. |
15 | 15 |
|
16 | | -Since we previously explored various textual tactics employed by bad actors, there's been an emergence in using images to deliver the payload. |
| 16 | +I took a sample of the last 120 accounts banned by our automod, and ran some basic analysis on them. |
17 | 17 |
|
18 | | -This completely changes the game of detection and removal as we can no longer use simple string tooling to do our heuristics. Whilst I can't share what we do at TCD, I can at least say that we've solved the problem of images. |
19 | | - |
20 | | -There's quite a variety of payloads to look at, so let's get started. |
21 | | - |
22 | | -== the tech |
23 | | -It started utilising Discord's CDN as the source for the uploaded images, posting an image link in combination with a masked link, like this: |
24 | | -``` |
25 | | -https://media.discordapp.net/attachments/1401868025313103885/1401868063032344648/beast.jpg |
26 | | -I got 3000$ from MrBeast :thumbsup: |
27 | | -[bbc.com/news/articles/c74n9wez7k8o](<bad link>) |
28 | | -``` |
| 18 | +First off, I plotted out the creation dates of each account, which shows no specific pattern. It's not just new users falling for these tricks. |
29 | 19 |
|
30 | 20 | #html.img( |
31 | | - src: "/posts/moderation/single-image-scam.png", |
32 | | - alt: "a sample of the mr beast scam showing a fake news article with a link to go to", |
33 | | - title: "sample payload", |
34 | | - style: "width: 75%; margin: auto; margin-top: 1rem;" |
| 21 | + src: "/posts/spam-analysis/account-creation.png", |
| 22 | + alt: "a bar chart showing a wide range of creation dates", |
| 23 | + title: "account creation dates", |
| 24 | + style: "width: 75%; margin: auto;" |
35 | 25 | ) |
36 | 26 |
|
37 | | -In line with text-based scams, this was of course sprayed everywhere in a server. Our #link("/posts/moderation/online-moderation#mitigations")[previously discussed mitigation] of a blanket masked link ban works wonders here. |
38 | | - |
39 | | -There was soon a completely image based variant though, using CDN links again: |
40 | | -``` |
41 | | -https://media.discordapp.net/attachments/1294380382661116045/1379563070900408340/1.jpg |
42 | | -https://media.discordapp.net/attachments/1294380382661116045/1379563071206330449/2.jpg |
43 | | -https://media.discordapp.net/attachments/1294380382661116045/1379563071445532855/3.jpg |
44 | | -https://media.discordapp.net/attachments/1294380382661116045/1379563071722229872/4.jpg |
45 | | -``` |
46 | | - |
47 | | -It is important to highlight that in both cases here CDN **links** are being used. We think this has a few benefits for the bad actors: |
48 | | - |
49 | | -- Server permissions |
50 | | -It's not uncommon for new members to a server to be blocked from posting media. It is however uncommon for _embeds_ to also be blocked. |
51 | | -You only need the latter for your CDN links to render. |
52 | | - |
53 | | -- Speed of spray |
54 | | -It takes a long time (relatively) to upload pictures. |
55 | | -It's also not hard to roll the links if it for some reason gets blocked, given how easy Discord servers are to make. |
56 | | - |
57 | | -- Platform integration |
58 | | -Discord will compress the visuals of a CDN link to make it more appealing in the client, this reduces the chances of someone spotting it. |
59 | | - |
60 | | -== additional tech |
61 | | -Whilst the core payload remains the same, we've seen yet more rapid development in delivery since initially dealing with the '4 image CDN' variant. |
62 | | -These include: |
63 | | - |
64 | | -- posting the 3rd party links verbatim |
65 | | -``` |
66 | | -https://<bad CDN>/R4HX9jZN/image.png |
67 | | -https://<bad CDN>/1txYh0fn/image.png |
68 | | -https://<bad CDN>/z11zS2W/image.png |
69 | | -https://<bad CDN>/5WCfjZ6X/image.png |
70 | | -``` |
71 | | - |
72 | | -- masking those links to a 3rd party CDN |
73 | | -``` |
74 | | -[image.png](https://<bad CDN>/d4fhK75V/1.jpg) |
75 | | -[image.png](https://<bad CDN>/v49sDYM7/2.jpg) |
76 | | -[image.png](https://<bad CDN>/hJb1VzC0/3.jpg) |
77 | | -[image.png](https://<bad CDN>/Y43JG9hs/image4.jpg) |
78 | | -``` |
79 | | - |
80 | | -- using more markdown hacks to hide the links |
81 | | -I've reduced the amount of pipes for your reading pleasure, but it's about 900 pipes. |
82 | | -``` |
83 | | -||||||| _ _ _ _ _ _ https://<bad CDN>/UHlJ7jO.png |
84 | | -https://<bad CDN>/BSN8F2m.png |
85 | | -https://<bad CDN>/5R4cvmi.jpeg |
86 | | -https://<bad CDN>/gDr1suT.png |
87 | | -``` |
88 | | - |
89 | | -== timeline |
90 | | -To provide some context, the rough timeline is this: |
91 | | -- May/June 2025: first sighting |
92 | | -- June -> August 2025: things really pick up |
93 | | -- August 2025 -> Present: most phishes are image based |
| 27 | +I then plotted the account 'flags' (taken from #link("https://flags.lewisakura.moe/")[this amazing resource]) which showed Discord successfully detecting around 16% of the accounts _we_ detected |
| 28 | +as spammers. To be frank, this is quite a poor show given just how rampant spam is on the platform. In particular, we know that the 4-panel image gallery is being seen elsewhere, completely |
| 29 | +disconnected from tech servers. |
94 | 30 |
|
95 | 31 | #html.img( |
96 | | - src: "/posts/moderation/graph-nov.png", |
97 | | - alt: "a graph showing the account takeovers in TCD for 2025. it trends up on the back half of the year", |
98 | | - title: "takeover graph trending up", |
| 32 | + src: "/posts/spam-analysis/flags.png", |
| 33 | + alt: "a bar chart showing the flags present, with the majority being 'no flags', though with a high amount of 'spammer'", |
| 34 | + title: "account flags", |
99 | 35 | style: "width: 75%; margin: auto;" |
100 | 36 | ) |
101 | 37 |
|
102 | | -== conclusion |
103 | | -The conclusion here is unfortunately dry as I cannot share how we solved this problem. Maybe at some future point we will be able to open source it. |
104 | | -It will be interesting to see how this technique evolves further, perhaps incorporating more of the URL encoding nonsense #link("/posts/moderation/discord-url-deception")[I shared previously]. |
| 38 | +Our techniques are fairly primitive really, but have an exceedingly low false positive rate. I would expect an org like Discord to be hitting more than this, perhaps around 50%. |
105 | 39 |
|
106 | | -I can at least share that our in-house solution now stands at 1665 cases at time of writing, with ~20% of those being the new tech we developed to target this campaign. Pretty strong stuff. |
| 40 | +I did also calculate the ban date for each user, based on the message ID of the log, which showed 80 bans for January 2026 (other months are incomplete). This problem is ongoing without a doubt. |
0 commit comments