https://triasels.itch.io/selatria-beta
The page is currently password protected but the messages I got line up pretty well with how this scam normally looks.
https://triasels.itch.io/selatria-beta
The page is currently password protected but the messages I got line up pretty well with how this scam normally looks.
Hello, I just be scammed with a friend, there's two links:
https://zeroinvadersgame.itch.io/zeroinvaders
https://tuesdayquest.itch.io/a-planet-of-mine
How to do right now ? We remove the file, there's one process call WindowsBootManager a video game, we remove it too, what to do ? Change passwords on every website save in our website ? We already change password for discord, paypal etc.
I feel like my computer is a bit slower right now, but I'm not sure so what to do please ?
How do you know you been scammed?
If you believe you were, changing passwords is a good start. But maybe not do that on a system you think is compromised.
Booting up with a secure boot disk or usb stick and scanning for hidden surprises and otherwise scanning your system thoroughly might help too.
I tried three different scanners, and the file you claimed is a scam, was not recognised as such. Of course I will not execute it to check if it silently steals my passwords anyways. If it really is a scam, this is worrssome.
666 by readyygames (itch.io) , he tried but i exposed it immediately
Discord scams are rather easy to notice - if you have heard of them before.
What is harder to spot is fake projects. They sometimes slip through and get unoticed or rather unreported. Sometimes for weeks, sometimes months. Ironically scams have to face the same hardship all the real devs have to face. Too few visitors. And as with ratings, like most people do not rate, most people also do not hit the report button at the bottom of the page.
So basically it is like a minefield. I have even seen scams where they impersonate publishers that are on itch. Or were. Hard to thell, if there is occasional deindexing R-82637 was such a case.
And it is rather erratic how long it takes to remove the fake projects. I understand that there should not be information given that the scammers could react to. And that there are different stages of removal.
If you see a pirated game on itch, chances are about 99% that it is also malware. And if the account is older, then chances are very high, that the account was recently hacked.
But I also seen complete fake games here, with random or ai made screenshots.
Also the criminals try every variation. Even faking comments and ratings. I kid you not.
The detectors used by itch will not catch all. They are soso. And also there is the user angle, like prompting the user to do something or simply downloading the malware from somewhere else and disguise it as an update function. Or simply point to an external hoster in the first place.
The only protection if we wanna call it that, is the fact that the criminals face the same problem all the real developers face. Attracting people to their games. Unfortunately that also means, that there are some time bombs in the itch archives. If the fake game was not attractive enough, maybe no one reported it. I seen stuff that was older than 6 months.
You take too long to act on reports. R-84586 for example. It is not weekend. That is 60 hours and counting.
And regarding weekends, you have to solve that problem too. You allow malware spreaders to do their thing unprotested, just because of what the calendar says.
Users that did notice that something is malware cannot even give warning to other users, because there are no public reviews attached to a project. And comments can be deleted by the developer.
As it is now, you should give a big warning message like that quarantine message for each download and doubly for each external link.
What is more important? Not delisting a game for manual review, because the report might be in error or even malicious, or allowing a potential malware to continue to spread being under the umbrella of appearing legit, because it is hosted on indexed on itch?
If you do not have such a system already, fastrack reports of "known" reporters, maybe even to auto-delist a reported game, if the report cannot be processed by staff within minutes.
And should you have a system of protecting accounts against reports, just because they are older, have 2fa, payment information or whatever, scratch that system. It is contra productive. The scammers use hacked accounts for a reason. And the hacked accounts prove beyond any doubt, that there is a huge problem.
The interesting part is, that the original was hosted on itch too. And he did not say, that he got the link on discord. He said he was browsing on itch.
It is not merely a try my game problem. It is a malware is visibly hosted on itch problem - and too few people notice and report the scams, meaning, that there are "old" games hosted on itch that are malware.
There should be a warning message for all downloads here. I am serious. People should be made aware that itch does not in any way has even the slightest guarantee that the person uploading the game is the real developer and that the game is not malware or pirated or both. This psa is all good and well, but how many unique users did read this?
Oh, itch does remove things, and I guess many things are not even indexed to begin with, but there are things released without indexing as in the "classic" try my game scam and with all those scams, some of them do get indexed, suggesting a false security as new users do think that games are scrutinized by staff and are thoroughly scanned - and what else should they think?! Itch is not some shady message board. But unfortunately, whatever security measures there are, they get penetrated on a daily basis and it takes user's reports to take down malware after the fact.
The problem with indie games is, that many popular game engines and homebrew solutions tend to provoke warnings, plus games from amateurs are more easily forgiven to be buggy. So when something funny is happening, the first thing people think is not: oh, crap, that's malware. It is, oh well, amateur developer, can't be helped, I just try again. It is just that that youtuber described it. He noticed the scam only, after he got warning that his accounts were compromised. Despite having system warning messages and strange behaviour. Imagine how long it would have taken to realize it, if the scam would have included an actual game bundled with malware...
Yeah, I absolutely agree that itch.io should have 1 concise warning when downloading for the first time implemented, the same way as the warning you get when opening an 18+ game page, and that should be enough, prioritized somewhere among the optional donation window.
Having extremely active trusted users who play games become moderators who have to check uploaded games in queue to approve it's safe to download could be cool, but probably unrealistic, the biggest flaw being that some games will never be published because of just how many there are uploaded every hour
They could at least give some "trusted" users the ability to quarantine games, to shorten the exposure from the start of a report to the time staff reads the report.
And they do not even have to tell those users nor trust them. If you make a report while being logged in, they know who made the report. They could easily have a running average statistic about the quality of those reports. There is subcategories for reports and a malware category was introduced, so even that can be sorted accordingly.
So even if that user has a crappy ratio of 1 false report in 5, I would rather have 4 malwares being quarantined immediatly and 1 legit game queued for staff inspection than all 5 being visible, despite a user noticing that there is suspicous activity.
Oh, and there are legit games in quarantine all the time. What is more important? Protecting the users that think itch is a respectable site that hosts no malware or protecting the few games that get reported in error from being quarantined for a few days, till the misunderstanding clears. It might be a bad experiecne for a new developer to be quarantined, but I believe the experience of being hacked is far worse.
The issues is as follows: too few users checking out games to begin with. The scammers face the same problem as all the indie devs. Getting people to download the project. So if real developers barely get some downloads let alone ratings or comments, the time bombs uploaded by the criminals have it equally hard. So reports on malware should be treated with that in mind. I saw a year old project where people openly talked about the scam being a scam, but none of those people apparantly found the report button at the bottom or bothered to report.