https://triasels.itch.io/selatria-beta
The page is currently password protected but the messages I got line up pretty well with how this scam normally looks.
How do you know you been scammed?
If you believe you were, changing passwords is a good start. But maybe not do that on a system you think is compromised.
Booting up with a secure boot disk or usb stick and scanning for hidden surprises and otherwise scanning your system thoroughly might help too.
I tried three different scanners, and the file you claimed is a scam, was not recognised as such. Of course I will not execute it to check if it silently steals my passwords anyways. If it really is a scam, this is worrssome.
If you see a pirated game on itch, chances are about 99% that it is also malware. And if the account is older, then chances are very high, that the account was recently hacked.
But I also seen complete fake games here, with random or ai made screenshots.
Also the criminals try every variation. Even faking comments and ratings. I kid you not.
The detectors used by itch will not catch all. They are soso. And also there is the user angle, like prompting the user to do something or simply downloading the malware from somewhere else and disguise it as an update function. Or simply point to an external hoster in the first place.
The only protection if we wanna call it that, is the fact that the criminals face the same problem all the real developers face. Attracting people to their games. Unfortunately that also means, that there are some time bombs in the itch archives. If the fake game was not attractive enough, maybe no one reported it. I seen stuff that was older than 6 months.
The interesting part is, that the original was hosted on itch too. And he did not say, that he got the link on discord. He said he was browsing on itch.
It is not merely a try my game problem. It is a malware is visibly hosted on itch problem - and too few people notice and report the scams, meaning, that there are "old" games hosted on itch that are malware.
There should be a warning message for all downloads here. I am serious. People should be made aware that itch does not in any way has even the slightest guarantee that the person uploading the game is the real developer and that the game is not malware or pirated or both. This psa is all good and well, but how many unique users did read this?
Oh, itch does remove things, and I guess many things are not even indexed to begin with, but there are things released without indexing as in the "classic" try my game scam and with all those scams, some of them do get indexed, suggesting a false security as new users do think that games are scrutinized by staff and are thoroughly scanned - and what else should they think?! Itch is not some shady message board. But unfortunately, whatever security measures there are, they get penetrated on a daily basis and it takes user's reports to take down malware after the fact.
The problem with indie games is, that many popular game engines and homebrew solutions tend to provoke warnings, plus games from amateurs are more easily forgiven to be buggy. So when something funny is happening, the first thing people think is not: oh, crap, that's malware. It is, oh well, amateur developer, can't be helped, I just try again. It is just that that youtuber described it. He noticed the scam only, after he got warning that his accounts were compromised. Despite having system warning messages and strange behaviour. Imagine how long it would have taken to realize it, if the scam would have included an actual game bundled with malware...
They could at least give some "trusted" users the ability to quarantine games, to shorten the exposure from the start of a report to the time staff reads the report.
And they do not even have to tell those users nor trust them. If you make a report while being logged in, they know who made the report. They could easily have a running average statistic about the quality of those reports. There is subcategories for reports and a malware category was introduced, so even that can be sorted accordingly.
So even if that user has a crappy ratio of 1 false report in 5, I would rather have 4 malwares being quarantined immediatly and 1 legit game queued for staff inspection than all 5 being visible, despite a user noticing that there is suspicous activity.
Oh, and there are legit games in quarantine all the time. What is more important? Protecting the users that think itch is a respectable site that hosts no malware or protecting the few games that get reported in error from being quarantined for a few days, till the misunderstanding clears. It might be a bad experiecne for a new developer to be quarantined, but I believe the experience of being hacked is far worse.
The issues is as follows: too few users checking out games to begin with. The scammers face the same problem as all the indie devs. Getting people to download the project. So if real developers barely get some downloads let alone ratings or comments, the time bombs uploaded by the criminals have it equally hard. So reports on malware should be treated with that in mind. I saw a year old project where people openly talked about the scam being a scam, but none of those people apparantly found the report button at the bottom or bothered to report.
Where does it say new? The thread? People sometimes post here, so it gets bumped. Like you just did.
And the scammers did not stop spamming their scams. The thread might also be called: psa, there is malware hosted on itch that was not yet detected or reported.
The discord approach is not the only method they try to get you to download their malware. I assume all those people complaining about their games not being indexed are side effects of Itch fighting the scammers. Because, why look fishy and only advertise your scam on discord, if you can just plant other scams out in the open. Some of those go undetected for months, as this type of scam has to fight obscurity just like the legit games.
So beware and have a closer look before you run executeables on your computer from an unverified developer. The account might even have been hacked to spread malware - just like the accounts of your discord friends that suggests this hot new game to you or asks you to try their game.
All this is about trust. That is, why the discord scam is so dangerous, because they lull you personally and directly.
I see 11 games on your profile. 2 are not indexed. None are quarantined. So, what exactly are you talking about?
To anyone else who finds their game in quarantine:
This PSA might be years old, but malware is uploaded to Itch on a daily basis. Not all of those are advertised as a discord scam. And this means, that Itch has to do something against those fake projects. One thing they can do, is to check for suspicous activity and when in doubt to quarantine a project till a human can inspect it. It is a nuiscance when you are a developer, but it is an even bigger nuiscance to get your computer hacked from a downloaded game. Maybe also read here: https://itch.io/t/4120453/game-quarantined-search-or-indexing-problem-read-this
Well, I restrict 2 games about "Michael Myers", because they are in quarantine. And of course my mobile game "2014 Incident - Android Version" in quarantine. That's Why I'm exactly talking about. At least I checked this post and read it. And I don't know what will happen when they Check. Look, If I can bring back my Halloween games, Can you then remove from quarantine? I'll check them on virustotal
I do not think that complaining about the quarantine will make Itch staff work any faster. And Itch staff is whom you would have to talk to. Not to people commenting on a public message board. You do not know why your games are quarantined. Staff will sort it out, eventually. Give them a few weeks.
And for your information: there is malware that will not even get detected on virustotal. I have seen such. Published on hacked accounts. Why do I know it was malware? Because the account it was published on, was a hacked user account among other things. It problaby would have downloaded the actual malware later. And this (the hacked user accounts) is the reason why I welcome a sensitive quarantine system. I only see the hacked accounts with indexed malware that were not quarantined and those are plenty. So if their system catches some false positives, bad luck for those devs. They have to wait till it clears up. The alternative is even more hacked accounts with new malware distributed, if the automatic is not sensitive enough.
This thread is a public service announcement about a scam that was popular three years ago. It might still be popular. Typically they are/were restricted games and a direct link with password protetected file would be advertised on discord. To try the game. For testing or whatever. But this is not the only method by which malware is distributed on Itch.
To quote from the initial post:
itch.io is a self publishing platform open to all, which means anyone can publish a page on our platform at any time.[1] Although we have many automated checks to block or suspend users if suspicious activity is detected
The bold text is what probably hit your games and put them into quarantine, till staff will sort it out.
You previously were uploading games by other people so your account is on “high risk”.
UPDATE: Got DM in reddit this time, with the link’s matching the Discord scammer’s username. Mods please have a look and ban this guy! His reddit - https://www.reddit.com/user/Megalordow/
Attaching screenshot of conversation below -
If you're unsure, play this browser port: https://cvlol.itch.io/crazycattle3d
Games in your browser can't steal your discord token like .exe files on your computer can.
Also ignore anything related to crazycattle3d cryptocurrency, it has nothing to do with the developer.
