The Discord DM Scam

This scam is certainly not specific to Guild of Guardians, but rather very common once you start joining various Crypto related discord servers.  It was especially bad right around when the GoG token was scheduled to to go on sale.

The scam starts with a direct message on Discord, which is why you'll see a lot of discord community admins post "WON'T DM YOU".


If you ever get a direct message that seems to be from GoG pause for a minute and ask the following questions:

  • Was I expecting this message?
  • Is there a sense of urgency along with the message?
  • If there is a link involved, is it in the "Official Links" channel on the GoG Discord?
This scam is usually attempting to prey on a victim's fear of missing out, like you might miss your chance to purchase GoG tokens before everyone else.

The Guild of Guardians team will never DM you for a promotion and will never DM you with a link, so you will not miss out on anything by ignoring DM's that appear to be from GoG.

Let's take a closer look at an actual scam that some of you might have seen:


This one was a bit tricky as the community was expecting the token sale to happen soon, but legitimate promotions will appear in the official announcements channel on the Discord server, not in a DM.

There is definitely a sense of urgency, as the "TOKEN SALE IS LIVE NOW!", this preys on the fear of missing out.

The biggest red flag of all though?  The website is hosted at hxxps://guildofguardians[.]tech instead of the site in the official links: https://guildofguardians.com.  Notice that if I ever post a potentially malicious link on this site it will be defanged with https changed to hxxps and [] around the dot do you don't accidentally click on it.

Want to know more about these actors behind this scam?  You could check to see who registered the domain using a site like DomainTools.  Here is what it has to say about guildofguardians[.]tech:

https://whois.domaintools.com/guildofguardians.tech

The domain was registered on 28th of October 2021, right around the time the scam started.  A new domain registration that claims to be associated with a company that has existed for years often indicates impersonation.

There is more we can learn about these actors and what they were trying to do if a user actually followed the link.  However, the first step in avoiding a scam is never clicking on the link to begin with.  This week I'll take a closer look at the link and see what I can find out about the actors behind it and what other scams they might be running.

Until then, if you see a scam involving GoG and want to help warn your fellow Guardians, don't hesitate to ping me on Twitter @gogscamtracker or email to report@gogscamtracker.com

Update:
It looks like the guildofguardians[.]tech site failed to verify their email address and their site got taken down, so won't be able to dig up much more there.  However, I'm happy that no one else should fall victim to that particular site.





Comments

Post a Comment

Popular posts from this blog

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more