Post by redonihunter in Can games from itch.io be trusted anymore ?

Viewing post in Can games from itch.io be trusted anymore ?

This is not a new thing.

https://itch.io/t/1659440/psa-beware-the-try-my-game-scam

https://itch.io/t/3512426/itch-is-not-a-safe-place-do-not-download-things

No, you cannot trust a game because it is hosted on Itch or has an Itch project or is uploaded on an account that is old. Or because the project is older.

It is trivial for bad actors to circumvent Itch scanners by doing trial and error. It is trivial to create a new account. And I did see literally hundreds of hacked accounts used for uploading malware. Oldest malware I found was over two years old.

Their profiles are not hidden. You speak about the missing link to their profile, I guess. There is none, because it is empty and has no comments. That's not unusual for regular profiles. The malware uploaders constantly change their patterns, so it is moot to talk about specifics. They just try around till they get indexed. And I guess there are a lot of bad projects cought early that we do not even see, but we do see some of the collateral by all those developers complaining about being put in quarantine.

My general advice is to establish trust by different means. Which mostly translates to not downloading new & shiny things. And treating any downloads as unsafe. So using sandboxing methods is recommended. Coincidentally, the Itch app provides a user level sandbox. This should prevent browser data theft, like login cookies.

I have seen malware that did not trigger on virustotal, malware that was signed and to shame Itch's scanners, malware that was immediatly cought by Windows Defender. Malware on an acount with about a hundred followers and so on.

Also blog postings that link to malware on accounts which have 50+ followers. And of course the recent trend of spamming comment sections with links to malware.

Like Reply

HamUnDo27 days ago(+2)

Now that I think about it ... all other games I got from here could be played in browser and/or have an active communication via DM or comments ... some provide their projects on other websites too ...

Guess we have to stay alert and better avoid shiny new offers ... especially when there are no comments or an empty profile ...

And with such a flood of scams ... problably thanks to AI ... I don´t wonder anymore, why there is no answer to my reports ...

Like Reply

redonihunter27 days ago(+2)

Sadly you cannot use an empty or non empty profile or comments as an indicator. The malware uploaders change these patterns and fake whatever they think will make them look less suspicous. Including comments made by their fake account and comments/ratings on their malware projects.

You forgot the other four games on that one account in your collection ;-)

Copy paste the username after the / to access the profile. That works for empty profiles that have not made comments, but posted games.

https://itch.io/profile/

You can do so with a bookmarklet on the account's page.

javascript: (() => {
window.location.href=`https://itch.io/profile/${window.location.hostname.split('.')[0]}`;
})();

Like Reply

HamUnDo27 days ago

I just mentioned, what the corrupted games/pages had in common ... missing comments or empty profiles are no (un)safe indicators ... but they will make me extra cautious ...

I stumbled upon the games through my search filter ... they were new and I got intrigued ... I am not actively hunting scammers ...

I´ll keep in mind to copy-paste the username if necessary ... but I don´t understand much about scripting ... so the java thingy is more like "nah, better not touch" ...

Like Reply

redonihunter27 days ago(+1)

Oh, in a given time frame, the malware projects usually share some attributes. But a few weeks later they could look completely different in regard to the key aspects you learned to use as an indicator. Last time I had a look at recent games there were malware with comment sections...

You need not actively hunt scammers, but the ones you do stumble upon, please report them. Once you recognise the current patterns, they are rather easy to spot at a glance with high confidence. Obviously, the top 4 weeks of recent will have the highest density of malware. Itch will not seek out those scammer pages actively. It is evident that their automatic scans did not catch the ones you do see in the search pages. So they need those reports to act.

I also did not actively hunt for those, but I use a browser extension to mark known games/creators. So if I browse recent, I will only see games I have not yet marked. Increasing the density even further.

Like Reply