Analysis of (http[:]//disccrdapp [.]com/newyears) Phishing Link

Info:

• Target: discord.com
• Phish Domain: disccrdapp[.]com
• IP: 190.115.18.199
• DNS Record: AS262254 - DDOS-GUARD CORP
• Domain Registrar: REG.RU LLC
• Location: Belize City, Belize

Victim Clicked on Link Using:

• Device: Android Phone

Details:

This phishing attack scenario happens when the victim clicks on the link accidentally or otherwise it spreads it self by sending the link to the discord friends & joined servers, the link did not ask the victim to enter credintionls in order to send the link or steal any tokens or credentials, this phishing attack is meant to give the users(victims) a free month of discord nitro which costs 9.99$ USD Dollars monthly as if it was brought to you by steam,

This way they can spread the link by discord and or stealing your discord credentials and your steam account credentials and potentially making profit from your steam inventory , also from the urlscan.io the link uses nextcord which is a discord api used to make discord bots so maybe it uses it to make an http request to the server and send the harvested creds via discord, but thats just a possibility.

How do they fool victims:

• Using a domain name really close to the real domain or related.
• Cloning the real discord nitro page.
• Making them think they don’t have to pay and promising them something they want(nitro).
• Using the exact same embed photo for links as the real discord.

Scans & Screenshots:

Phish link homepage:

Embeds:

urlscan:

Virus Total:

Scan Results Links:

• VT: Virus Total
• urlscan: urlscan.io

If you want to learn how to to protect yourself you can read this post on the malwarebytes blog: https://blog.malwarebytes.com/scams/2021/10/discord-scammers-lure-victims-with-promise-of-free-nitro-subscriptions/