Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » General » General Discussion

PSA: Beware the "try my game" scam Sticky

A topic by leafo created Sep 22, 2021 Views: 127,699 Replies: 143
Viewing posts 1 to 120
leafoAdmin3 years ago (18 edits) (+42)

Malware is being distributed on Discord and other platforms by hackers who ask you to “try their game” by downloading an unsafe executable off the internet. This malware steals your Discord account, hacks your browser, steals payment information, and more. These hackers are using any file hosting sites they can, including itch.io, to attempt to distribute their viruses.

  • If you receive a DM from someone you don’t fully trust asking you to download or test their game, DO NOT DOWNLOAD
    • Even if it’s someone you DO know, if their behavior is strange then their account may have gotten hacked through this scam. Do not download any executables they try to send you
  • On itch.io, it is safe to view the page, but do not download any untrusted software
  • Games that run in your browser are sandboxed by your browser and pose no risk of infecting your computer
  • If you see a zip file that is “password protected” DO NOT DOWNLOAD. Scammers encrypt their zip files with passwords so file hosts can’t run malware scans on the contents. Report this page
  • On itch.io, you can report a page from the link located on the bottom of the page.

Here’s the most common example we’ve seen:

  • Unsuspecting user has the Discord app installed on their Windows computer
  • They receive a DM from someone they may or may not know (it may be someone that hasn’t spoken to you in a long time, or someone from a mutual server)
  • The hacker asks you to test a game they’re working on and provide an itch.io or other link to download the software
  • The software is a program that reads specific files on your computer to steal your Discord API token, your Browser’s cookies, any other sensitive data.
    • They may also delete these files after stealing them, so you effectively get “logged out” from everything after the malware rune
  • In the example of Discord: The stolen API token gives full access to your Discord account with no restriction on where or how it can be used
  • The scammer uses this token to:
    • Steal your account from you (change password, email)
    • Use stored payment information to spend thousands of dollars on Discord Nitro/Server boosts
    • They may message from your account to your friends list/servers with the same or similar message asking others to download the file

itch.io is a self publishing platform open to all, which means anyone can publish a page on our platform at any time.[1] Although we have many automated checks to block or suspend users if suspicious activity is detected (including human review in many cases), not all scans and systems are perfect. We’re releasing this notice along with a few other changes to our platform to educate and help prevent this kind of attack.

itch.io at its core is a public file hosting service. Treat any page you encounter with suspicion if you are unable to vet the creators in any way. If you are concerned about the security of your computer and don’t trust any malware scanners you have on your computer then we recommend you stick to HTML5 games, as they are sandboxed by default. We also provide a Sandboxed mode in our app, but it’s difficult to guarantee security for downloaded software. Your browser is likely the safest sandbox your computer already has.

Note: We will not reveal the specifics of how we handle malware uploads or other illegal activity as it’s very likely the scammers are reading this very thread.

Thanks

[1] Publishing can represent a broad range of states on our platform, from being indexed on our search and browse pages to just having a URL that can be shared. In this case we are referring to just creating a URL you can visit directly by link. In no instances have these pages been promoted by us on any part of our site like the homepage or browse pages

More information about the scam

Reply
Tharuka013 years ago(+6)

Hello 

Same thing happened to me 2 days ago from this site . A person named snowwy DMed me that if I advertise his game he will pay me and he gave the link to test bugs . As soon as I opened it logged me out from the discord and my account hacked

the link is https://coolcoder1.itch.io/stick-fight

Please remove this file from this site

Thank you

Reply
Deleted post2 years ago
Deleted 75 days ago
Reply
SeeBeyond3 years ago(+5)

Hi, to anyone is coming across this, a group of individuals have come together hoping to reverse engineer and disable these scams as soon as new ones come up (they phone home using discord webhooks which can be disabled remotely). We are cataloging our findings on a public wiki. If you have come into contact with a compromised account or have been sent malware, please forward it to us so we can hopefully break it open and render that build inert.

You can learn more or help stop these here: ⭷ https://security.shulker.net/wiki/Main_Page

Shoutouts to: GlitchyPSI, PhleBuster, Vixus, Kibbles, and everyone else helping out!

Reply
leafoAdmin2 years ago

Just giving you a heads-up but it looks like your wiki is full of spammers.

Reply
redtil model2 years ago(+1)

because my game super slosyto game can not be downloaded the game has more than 3 months in review everything simply because I live in Venezuela and I have no discord please unblock the game please

Reply
JamieOaks8 days ago

That URL doesn't exist.

Reply
noor-fernandez3 years ago(+2)

Does this affect Linux (Ubuntu) computers?

Reply
leafoAdmin3 years ago(+3)

The malware we’ve seen is only for Windows computers, but many of the warnings I wrote about apply to all downloaded software.

Reply
Zerasu903 years ago (1 edit) (+1)

https://mandagame.itch.io/manda 

edit; thanks for deleting that one, these guys are horrible

Reply
admiralbatty3 years ago

https://helpercat.itch.io/helpercat is one of those, please remove it

Reply
Quessions3 years ago

https://helpercats.itch.io/helper-cat Please remove this file from this site

Reply
Nevada Vacho3 years ago

Thank you :DDD

Reply
mike_DFTx3 years ago(+1)

here's another one

https://mercydevs.itch.io/

Got sent to me on discord. The game is in JS and nothing detected it as a virus - I used BitDefender Total Security and VirusTotal (the site)

Reply
leafoAdmin3 years ago (1 edit) (+4)

Please report the game page as well, it helps our team quickly respond. If you reply to this thread here only I will get notified. Thanks

Reply
AzaGameStudio3 years ago(+1)

Hey Leafo, can you help me someone stole my game called Not All There and reuploaded it here https://okpti.itch.io/not-all-there

Reply
Antutu3 years ago(+1)

What about if I didn't receive the link through Discord, like this HelperCat game that some people are reporting appeared in my feed as any other. So how can we check this? Running an antivirus doesn't help in all cases

Reply
MaitrePhoenix3 years ago(+5)

Hello, I have created a game and I use discord a lot, I would like to know if there is a way to make a kind of verification so that there is no more this image when I transmit my game via discord.

 

Reply
FeverDev2 years ago(+1)

I would really like to know this too, I'll do whatever they ask.

Reply
Leteen2 years ago

Yeah, no solution?

Reply
MaitrePhoenix2 years ago

In the end it disappeared by itself after a while

Reply
Vordhosbn plays3 years ago

Really...Why there are so many "games"...that they are virus...?

Reply
dorkdandi3 years ago(+1)

Hey, I also created a game - it's not even downloadable since you can only play it in the browser. Is there any way to remove this warning? I want to show my friends, but now they're all too sketched out by the website warning to even touch it. Really disappointing. 

Reply
FeverDev2 years ago

Me too it's really frustrating

Reply
Pixley Games2 years ago

Yes it is /:

Reply
Cute-The-Sylveon3 years ago (1 edit)

I found another scammer one just today https://evadevs.itch.io/cyberika

Reply
GoMango993 years ago(+5)

This is such a shame, now people won’t have trust for actual developers  :(

Reply
BillGamelover150 days ago

但我们别无他法,无法与他们抗争。

Reply
y33 years ago

I got scammed another way via a hacked friends account and a suspicious website but I got refunded

Reply
seethingword2 years ago

https://trabusvr.itch.io/trabus

Reply
TechSecIsHere2 years ago

https://zinetragames.itch.io/tribus-gamebynetra Yea, this one got my boy. My innocent boy.

Reply
insularis1282 years ago

just letting people there is another one being sent around, https://hexagondeveloper.itch.io/  at least i think it might be, thought i should let you guys know

Reply
NEDEN2 years ago

Hello, i am starting to go into gamedev and would like to ask if there is any way to make downloads more safe. Like i don't know how it works, since i yet need to publish a game, but which download site would be better to guarantee the safety of the user? Like google drive, or other form of download? Because i wouldn't like to scare people away just because i am new and don't have a lot of content.

Reply
firecat2 years ago(+2)

itch.io is safe but scammers are using the name to scare people

Reply
beenibroh2 years ago

i think the best you can do if they still think you're trying to hack them is show the people footage of you running the game you sent them in dm's

you could also ask close friends to look at the game, chances are they'll know its you just by reading your speech patterns.

Reply
Deleted account2 years ago
Deleted post
Reply
leafoAdmin2 years ago (2 edits) (+1)

Assuming there are no issues with your account’s standing and the page in question, the warning should clear up within a few days. If you are still having an issue you can contact support.

Sadly we can’t share details about how the warning works because scammers literally joined our discord making believe to the legitimate developers seeking information about how it works trying to reverse engineer the system to continue distributing scams.

For others reading, only a small set of users are impacted by this warning message.

Thanks!

Reply
velimirbg2 years ago

Friend of mine got her account stolen 2 days ago because of the discord scam, but the ''game'' also tried to steal her Roblox account for some reason.

Reply
TheGoblinsWithin2 years ago

https://terabyt-development.itch.io/super-cave-boy
not sure if this is a virus or not but better safe than sorry

Reply
roachymart2 years ago(+3)

it is, I got nailed by this today... Last time I'm ever being helpful to someone I don't know IRL

Reply
LIL Cucumber1012 years ago

https://arsenaldevlopr.itch.io/ is another malware link

Reply
ixxx2 years ago

It is not enough to shut down the Itch pages, they just change the download link on the Discord servers they recruit to. Please coordinate with Discord to get the Discord servers doing this shut down as well. Discord hasn't shut down the server I reported days later while Itch shut down the fake Itch page. Who can I speak to at Itch about this?

Reply
leafoAdmin2 years ago(+3)

We’ve communicated with people ask Discord about the issue and shared as much information as possible. We have made substantial changes to our process around reviewing pages and are actively responding to those who still try to set up scam pages. It’s not clear what changes, if any, Discord has made around the issue.

Reply
LinXueLian2 years ago (1 edit)

Thank you for the hard work, leafo and all the staff at Itch! I know this announcement was posted weeks ago, but a good number of us weren't aware of it (I don't have Discord installed and I don't pay for Nitro). 😰

I'll do my best to try to send this to all the other devs at the other server. Thank you for sharing and I hope this blows over soon!

Reply
bitbybitstudios2 years ago(+1)

Malware here: https://asurad.itch.io/cold-crystals

Reply
DazzlingSparklecat2 years ago(+1)

https://itch.io/profile/akitarsal
Got one right here for you.

Reply
beenibroh2 years ago

i think what makes this whole situation worse is discord won't do anything about it

as far as i know i know they are upgrading scam link detection but i still think its very wrong of them not to take action.

which if they are helping victims who have been previously hacked, they SHOULD say something about it so people know "hey we're aware of the hackers, we're taking care of it." but they choose not to.

Reply
CHRONOMATOPOEIA2 years ago

https://test-development.itch.io/move-worlds

This user was DMing our server users to test

https://test-development.itch.io/doki-literature-club

We banned them.

Reply
leafoAdmin2 years ago

Thanks, do you happen to have the discord username/id? You can send it to https://itch.io/support in private, reply to me with the ticket ID if you sent it in

Reply
CleanWater2 years ago

I'm glad that I didn't run on this Discord issue (or at least, I believe so) . But I got hacked past year too, someone managed to invade both my Instagram and Facebook accounts. I know they had stolen my (old) password. I'm a bit worried about if they managed to stole other passwords of mine and have invaded other accounts than these I mentioned.

Reply
TeemoCell2 years ago

https://pastaaghi.itch.io/pastaghi

Reply
Sondre Drakensson2 years ago

This is why I prefer browser games, since I have a phobia of computer viruses and hackers.
I think it's sad that Itchio seemingly don't have a check or moderation process like Steam has for publishes

Reply
TeemoCell2 years ago

Exactly, there isn't any check for the games. You can upload what ever you want.

Reply
Arka182 years ago

Please remove this. Another scammer

https://clasus.itch.io/kingsgold

Reply
Cobbles2 years ago(+1)

On this site I got hacked and they stole my discord, not only that but they stole this itch.io account as well and published the virus from this account. I changed the password back but I'm worried that they might have taken some other information that I'm unaware of. I reset the password for this account and hid the 'game' they uploaded as well as made a support ticket for my discord. Are there any other steps I should take? I reset my PC completely so I don't think they can get anything else. But if there's anything else I need to take care of I would like to know.

Reply
firecat2 years ago(+1)

Did you put your address in here? They may have that but if you put it on credit card information on Paypal/stripe than they didn't.

Reply
Cobbles2 years ago

Fortunately I haven’t put any personal information in my itch.io account and it’s connected to a spare email so I don’t think they have got anything valuable, they did post a game which I removed. Thanks for the telling me, I was worried about it but it seems like this and discord were the only things they took.

Reply
dpas99932 years ago

Here's another one https://3dgirls.itch.io . This as an imitation of a game by Killer7 that he's not releasing publicly. He posted on his site that it is a scam. I didn't know it it had been reported to itch or not.

Reply
dpas99932 years ago

Here's something I found. https://viselalune.itch.io/a-fathers-sins . The game was published by pixelblink. I suspect it is an attempt to load malware, since the file size is larger than the creator's.

Reply
DopeyDoes2 years ago

Hi. I recently got asked on one of my YouTube videos to try a game on here called Mandela Corruption, me being a newbie on this site I obliged, downloaded and recorded the game and was going to upload it to my channel but when I tried to look for the game, it has vanished.  Does anybody have any ideas about its authenticity, or was it a scam?  As soon as I finished playing the game I did delete it! 

Reply
Pythyu2 years ago

Someone DM me to test their game : https://pdv-team.itch.io/tanks-blood-mania. An hour later the same person told me that it wasn't him that send these messages and that his discord account was hacked and just recovered it. The images are stolen from another game too so prbly a Virus as well.

Reply
leafoAdmin2 years ago

The account has been disabled, thanks for your report.

Reply
MechaManW61 year ago(+1)

I found another potential try my game scam 

https://luckyducky3.itch.io/tank-bloodmania

Reply
Codix1 year ago

Hi ! Can you add me on Discord to share me the file itself ? I'm trying to see what's inside the code of this trojan to report the to the authority (I have been scammed thought this process too but with a new game called "GalacticValley"). My Discord account is ส็็็Codix#4833

Reply
Judhaa2 years ago

Hi there !

Same as above, someone from a shared small Discord DM'd me and asked me to test their game behind a password protected archive, the name and url is very similar to the one above (https://pet-team.itch.io/tanks-bloodmania) so I suspect it's the same guy(s). Had heard about this scam recently on Twitter so I did not fall for the trap but some might not be as self-aware

Reply
Codix1 year ago

Hi ! Can you share the password so that I can download it to see if it is the same author and also report it on virustotal ?

Reply
Judhaa1 year ago

The password was "TANKS" iirc

Reply
Codix1 year ago

I can't access the page, do you still had the file ? Can you share it to me ?

Reply
Judhaa1 year ago

I never downloaded the file, and I guess the page got shutdown ? Idk.

Reply
dailydoseofdk1 year ago

We just had someone trying this as well in our discord. I can't confirm but I googled him and found this twitter which leads to an itch.io, the minute you don't agree he starts berating you.
Discord: IseGuy#3384 (Confirmed legit discord user, not new/throwaway account)
https://twitter.com/zuhayrimohamed
https://itch.io/profile/vazsun
The account may be compromised or the account may just be a copy.

Reply
Deleted account1 year ago
Deleted post
Reply
keybladelemur1 year ago

https://riststeams.itch.io/tanks-bloodmoon i think this might also be one of those fake games. a friend sent this to me, the page and the rar asked for passwords. only used the password for the page but not the rar so i think i should be okay.

Reply
gshq881 year ago

https://strixteam.itch.io/tanks-bloodmoon can confirm, i got this from someone as well, i immediately noticed the red flags and thankfully didnt click on the link

Reply
gshq881 year ago

https://strixteam.itch.io/tanks-bloodmoon remove this as well, directs to the same "game" as above

Reply
Luvitus1 year ago(+1)

Got this one this morning, same deal https://incalexteam.itch.io/tanks-bloodmoon

Reply
VR Vegeta1 year ago

Not often that I post here, but figured that since it's an ongoing theme, i'd help the cause. Current link is https://quinteam.itch.io/tanks-bloodmania, and the password is TANKS123. Seeing how the friend that sent it hasn't messaged me for 5 years....was kind of obvious it was fake XD But I will admit, after chatting with the scammer, they've improved, actually kept up a decent conversation with them

Reply
redonihunter1 year ago

So does this get read or how does this work?  Because everything below that post 164 days ago is still online. Or so it seams.

It leads to password protected sites. And the thing is, you cannot report those pages, without the password. So if the actual scammed people did not click on report, there are no reports. And I believe scammed people have other things to do, shortly after being hacked than to think about going back there. Maybe they even forgot the password to access  the site. Especially if they copied it from discord and now have lost access to that.

Also, the people that got suspicious before, will not even go there and click report. They might not even know itch, unless they got the discord invite from here.

Reply
Akoopla1 year ago

https://insalexteam.itch.io/tankie happened to me as well, ran the exe which stole my discord account and compromised two emails.

Reply
FearCode1 year ago

https://itch.io/profile/ahmettaha

This one is desperately spamming every game community to get people to download a very suspicious game, I think he stole this (paid) game:

https://store.steampowered.com/app/813700/Sakura_Sadist/

Not even sure if the download link will lead to the actual game or something worse...

Reply
ENRICO6661 year ago

I JUST WANNA PLAY PT ONILE

Reply
Ansel games1 year ago

will this not prevent game promotion? 

Reply
Ansel games1 year ago(+1)

Then how do we promote our games. This will prevent download 

Reply
redonihunter1 year ago

good Question. But do you think spamming random people on discord is a good way of promoting your game? would you try games or would you feel spammed by such requests?

Reply
Ansel games1 year ago

that's true, thanks

Reply
redonihunter1 year ago

https://insalexteam.itch.io/tankie

https://incalexteam.itch.io/tanks-bloodmoon

https://quinteam.itch.io/tanks-bloodmania

https://dxv-team.itch.io/tanks-bloodmoon

https://strixteam.itch.io/tanks-bloodmoon

https://riststeams.itch.io/tanks-bloodmoon

https://pet-team.itch.io/tanks-bloodmania

All of these links above are still operational and lead to a site that says password protected and those cannot be reported. 

Reply
leafoAdmin1 year ago (3 edits) (+1)

If you have the password you can report the page by entering the password and using the report link on the page. Keep in mind that in the case where we suspend pages, it may still show the password prompt but the page itself is not accessible at all, entering any password will fail.

Reply
redonihunter1 year ago(+1)
in the case where we suspend pages, it may still show the password prompt but the page itself is not accessible at all

aaah. that would explain it.

If I were to implement it and delete/suspend a scammers page, I would host a "you fell for a scam, be more careful next time" page for a few weeks to educate the potential victims. If they just see nothing or nothing after entering password,    they might even naivly ask the scammer for a new link.

Reply
Jimmy1 year ago

I feel like this game is also causing people getting hacked, cause someone tried hacking me with it.

https://tbmteam.itch.io/tankbm

Reply
Status1 year ago

What is the password to the archive?

I can take a look at it in a VM

Reply
Jimmy1 year ago

haven't gotten into the archive, but the password into the file was "TBm123"

Reply
Status1 year ago

it is down already but I suspect it would have been either the redline stealer or the lumma stealer

Reply
Jimmy1 year ago

ahhh, okay. thank you so much!

Reply
Deleted post1 year ago
Deleted 205 days ago
Reply
Rj_Game_Creator1 year ago

when i scam is trying to get me i will report it to the moderators because thats what i do

Reply
GlitchHunter001 year ago (6 edits)

https://itch.io/profile/xpsycho

appears to be an account stolen using the try my game scam, now being used to proliferate the scam.

ETA: Another account got caught by this same scammer and is now being used as well:

https://itch.io/profile/tonythepoisse

These have been spamming an NSFW version of the scam on SFW game pages.

Edit 2: Thanks.

Reply
Kazusan851 year ago

https://frostprojects.itch.io/tempo-quest  This one hit a friend recently

Reply
ManicGreen1 year ago(+1)

https://tempooteam.itch.io
https://tempooteam.itch.io/tanks-bloodmania
These ones trying to steal my discord be careful alwaqys the same tank game

Reply
GlitchHunter001 year ago (4 edits)

Next round of NSFW try my game scam on SFW pages:

https://itch.io/profile/werty-l (username changed, now: https://itch.io/profile/frost555lol)

https://itch.io/profile/lowfi123

Impersonating Sakura Sadist by Winged Cloud.

TIA for taking out these scammers. I know reports on comments go to page owners, and I'm not really comfortable going to the NSFW page to report it. Out of curiosity, do reports on game pages go to the page owner as well?

Reply
redonihunter1 year ago
do reports on game pages go to the page owner as well?

If you talk about the report button on game pages, that would be quite funny, if that report would go to the page owner you are complaining about.

Just click the report button if you stumble upon such scams. You can scroll down really fast or use an incognito browser, depending why you are uncomfortable visiting such pages.

They usually have two accounts. One new and one hacked.  One account hosts the game and the other spams. If the hoster gets banned, the spammer then hosts the game. I assume this is because it is difficult to report the spammer. As you have pointed out, the reports go to the game page owners. You cant report users directly to itch with report buttons. there is moderation in between. A reason why these scams often happen around weekend I presume.

Reply
GlitchHunter001 year ago

the report button on the game page is indeed what I meant, sorry if my wording wasn't clear.

Reply
joseangel.hashim1 year ago

Two more accounts doing the "Try my game" scam, one that appears to have been stolen by the scam and one by the scammers.

https://itch.io/profile/xpsycho

https://fignats.itch.io

Reply
KeahunuiTechnologies1 year ago

I have a game that just isn't practical to be a webgl.  What's the best way to show people that the download is trust worthy?  On steam there are different people who are well known for making sure all of the steam awards work.  Is there someone on itch that is reliable and tests games to make sure they're not malware who could give a review or something?

Reply
redonihunter1 year ago

Not having a password protected archive, not having exe that require admin rights, being careful about stuff like runtime compressing giving false positives, hosting on itch,  etc.

Scammers like to post on hacked accounts, so an established account is no guarantee for trust.

What you ask for is something like a human tested approval badge. With current itch system that is not possible. Reviews are not public in that sense.  In theory you could be on public game collections to that effect. But on a game page you can not check, if the game is on such a collection.

Scammers also got more clever by allowing comments, they just delete  the comments of people giving warning.   And posting comment with, this is legit good game, no viruses, I promise... yeah. That is what a scammer would say ;-)

There is a reason why publishing on steam costs money.

Reply
KeahunuiTechnologies1 year ago

Dang.  That sucks not having an approval badge or something.  Okay.  Thanks for the advice!

Reply
Badkill1 year ago

I found one of these scammers trying to pull this on me

https://deadtrigger-pc.itch.io/deadtrigger

the page isn't up yet but maybe you can find them

Reply
trainmore1 year ago

https://hatanopowell.itch.io/maritas-games
take this down please, thanks!!

Reply
Xypherus1 year ago

https://triasels.itch.io/selatria-beta

The page is currently password protected but the messages I got line up pretty well with how this scam normally looks.

Reply
leafoAdmin1 year ago

Thanks for the report. The account should be taken care of.

Reply
Iki12091 year ago

Hello, I just be scammed with a friend, there's two links: 

https://zeroinvadersgame.itch.io/zeroinvaders
https://tuesdayquest.itch.io/a-planet-of-mine

How to do right now ? We remove the file, there's one process call WindowsBootManager a video game, we remove it too, what to do ? Change passwords on every website save in our website ? We already change password for discord, paypal etc. 
I feel like my computer is a bit slower right now, but I'm not sure so what to do please ? 

Reply
redonihunter1 year ago

How do you know you been scammed?

If you believe you were, changing passwords is a good start. But maybe not do that on a system you think is compromised.

Booting up with a secure boot disk or usb stick and scanning for hidden surprises and otherwise scanning your system thoroughly might help too.

I tried three different scanners, and the file you claimed is a scam, was not recognised as such. Of course I will not execute it to check if it silently steals my passwords anyways. If it really is a scam, this is worrssome.

Reply
Ezekiel_Campbell1 year ago

There's has to be a better way to avoid this scam and another better way to actually get your game tested without all your stuff getting stolen and not having

to spend a lot money on game testers.

Reply
Suspended account1 year ago
Show post...

yes, it is

Reply
Ichit325 days ago

Yeah.. I got hit by this. Scary stuff :(

Reply
MadamZori315 days ago(+1)

Thanks for the warning. I'll be more careful. Although the Internet is a dangerous place - everyone knows this.

Reply
wuliaoyouxijun299 days ago

I'll just push this virus to my good friend

Reply
xAstroBoy285 days ago (1 edit)

666 by readyygames (itch.io) , he tried but i exposed it immediately

Reply
Laxus72818273 days ago

ok

Reply
tirosu263 days ago

returnswords by returnswords (itch.io) They're doing it by the book.

Reply
redonihunter257 days ago (4 edits) (+1)

Discord scams are rather easy to notice - if you have heard of them before.

What is harder to spot is fake projects. They sometimes slip through and get unoticed or rather unreported. Sometimes for weeks, sometimes months. Ironically scams have to face the same hardship all the real devs have to face. Too few visitors. And as with ratings, like most people do not rate, most people also do not hit the report button at the bottom of the page.

So basically it is like a minefield. I have even seen scams where they impersonate publishers that are on itch. Or were. Hard to thell, if there is occasional deindexing R-82637 was such a case.

And it is rather erratic how long it takes to remove the fake projects. I understand that there should not be information given that the scammers could react to. And that there are different stages of removal.

Reply
PriceyGithub241 days ago

yeah, there is a issue with people uploading pirated games

Reply
redonihunter241 days ago

If you see a pirated game on itch, chances are about 99% that it is also malware. And if the account is older, then chances are very high, that the account was recently hacked.

But I also seen complete fake games here, with random or ai made screenshots. 

Also the criminals try every variation. Even faking comments and ratings. I kid you not.

The detectors used by itch will not catch all. They are soso. And also there is the user angle, like prompting the user to do something or simply downloading the malware from somewhere else and disguise it as an update function. Or simply point to an external hoster in the first place.

The only protection if we wanna call it that, is the fact that the criminals face the same problem all the real developers face. Attracting people to their games. Unfortunately that also means, that there are some time bombs in the itch archives. If the fake game was not attractive enough, maybe no one reported it. I seen stuff that was older than 6 months.

Reply
redonihunter223 days ago

You take too long to act on reports. R-84586 for example. It is not weekend. That is 60 hours and counting.

And regarding weekends, you have to solve that problem too. You allow malware spreaders to do their thing unprotested, just because of what the calendar says.

Users that did notice that something is malware cannot even give warning to other users, because there are no public reviews attached to a project. And comments can be deleted by the developer.

As it is now, you should give a big warning message like that quarantine message for each download and doubly for each external link.

What is more important? Not delisting a game for manual review, because the report might be in error or even malicious, or allowing a potential malware to continue to spread being under the umbrella of appearing legit, because it is hosted on indexed on itch?

If you do not have such a system already, fastrack reports of "known" reporters, maybe even to auto-delist a reported game, if the report cannot be processed by staff within minutes.

And should you have a system of protecting accounts against reports, just because they are older, have 2fa, payment information or whatever, scratch that system. It is contra productive. The scammers use hacked accounts for a reason. And the hacked accounts prove beyond any doubt, that there is a huge problem.

Reply
redonihunter218 days ago

You need to fix this. This is not a one time occurence. It is a systematic problem, and the criminals are exploiting it. R-84776. Are the reports not believed? Is information missing? Are other things more important for staff to do than protecting the users of this site against scams?

Reply
Colonel Gerard216 days ago

What the hell is with the weird trend of user profile pictures being of small children on twitch and elsewhere just like the Original poster's profile picture back when the OP was made? 

Reply
redonihunter210 days ago
It is a systematic problem

R-87841 R-87648

The systematic problem continues. I do not know how your system works, but I do see that it is not effective.

R-85035 might also be because of the same systematic problem.

Reply
Mostafaatef1206 days ago

Yes

Reply
Deleted account201 days ago
Deleted post
Reply
redonihunter201 days ago

The interesting part is, that the original was hosted on itch too. And he did not say, that he got the link on discord. He said he was browsing on itch. 

It is not merely a try my game problem. It is a malware is visibly hosted on itch problem - and too few people notice and report the scams, meaning, that there are "old" games hosted on itch that are malware.

There should be a warning message for all downloads here. I am serious. People should be made aware that itch does not in any way has even the slightest guarantee that the person uploading the game is the real developer and that the game is not malware or pirated or both. This psa is all good and well, but how many unique users did read this?

Oh, itch does remove things, and I guess many things are not even indexed to begin with, but there are things released without indexing as in the "classic" try my game scam and with all those scams, some of them do get indexed, suggesting a false security as new users do think that games are scrutinized by staff and are thoroughly scanned - and what else should they think?! Itch is not some shady message board. But unfortunately, whatever security measures there are, they get penetrated on a daily basis and it takes user's reports to take down malware after the fact.

The problem with indie games is, that many popular game engines and homebrew solutions tend to provoke warnings, plus games from amateurs are more easily forgiven to be buggy. So when something funny is happening, the first thing people think is not: oh, crap, that's malware. It is, oh well, amateur developer, can't be helped, I just try again. It is just that that youtuber described it. He noticed the scam only, after he got warning that his accounts were compromised. Despite having system warning messages and strange behaviour. Imagine how long it would have taken to realize it, if the scam would have included an actual game bundled with malware...

Reply
Deleted account201 days ago
Deleted post
Reply
redonihunter201 days ago

They could at least give some "trusted" users the ability to quarantine games, to shorten the exposure from the start of a report to the time staff reads the report.

And they do not even have to tell those users nor trust them. If you make a report while being logged in, they know who made the report. They could easily have a running average statistic about the quality of those reports. There is subcategories for reports and a malware category was introduced, so even that can be sorted accordingly.

So even if that user has a crappy ratio of 1 false report in 5, I would rather have 4 malwares being quarantined immediatly and 1 legit game queued for staff inspection than all 5 being visible, despite a user noticing that there is suspicous activity.

Oh, and there are legit games in quarantine all the time. What is more important? Protecting the users that think itch is a respectable site that hosts no malware or protecting the few games that get reported in error from being quarantined for a few days, till the misunderstanding clears. It might be a bad experiecne for a new developer to be quarantined, but I believe the experience of being hacked is far worse.

The issues is as follows: too few users checking out games to begin with. The scammers face the same problem as all the indie devs. Getting people to download the project. So if real developers barely get some downloads let alone ratings or comments, the time bombs uploaded by the criminals have it equally hard. So reports on malware should be treated with that in mind. I saw a year old project where people openly talked about the scam being a scam, but none of those people apparantly found the report button at the bottom or bothered to report. 

Reply
esaza038@gmail.com184 days ago

Dominic 


Reply
BRYTRE132 days ago

HI

Reply
redonihunter130 days ago

R-94456

This looks like a specific discord credential stealer. One scanner calls it  Python/DiscordBot.FF another one PYC/Stealer.A.gen!Camelot

The concerning thing is, this is out in the open. Indexed for months now. Even some comments talking about how something is fishy with the description. Why did those commentors not report the fake game? It is of course a horror game, as Itch is a hotspot for people trying out indie horror games.

It also begs the question, why the scanners used by Itch does not catch those things. Oh, I can explain it logically, but emotionally it is outrageous. There is no regular manual review of uploaders or uploaded content and the automatic process might be good, but not good enough. (Oh, I guess they just upload 100 malware and if 5 get indexed they know what the scanners will not recognise. It would be trivial if you think about it. I have also seen malware that did not get recognises at all on that internet scanner that uses 70 different scanners).

Anyways please make the situation better. It is heart breaking to see all those hacked accounts every week, which proves, people do fall for the scams.

And for anyone recognising a scam, please do report it. Itch is abused by scammers all night and day and if no one reports the scams, they will not get removed. My oldest seen scam was two years in the open.

You should give priority to reports from sources that made valid reports in the past. Reports are rare, as seen in the example above. Other people saw that the fake game was suspicous, two even commented. But how many reports did you get on this?

Same as you should deprioritze reports from sources that made invalid reports in the past, to declutter the things staff has to do.

Oh, and there is a "new" method of scamming. It is unattached blog posts with a link to malware on the bottom. Those are harder to report, because there is no report button. Those blog posts are not even searchable. But they do get listed in regular search engines and look somewhat legit, since they are hosted on Itch.  Request 219519 has some of those, since it is hard to report them, as blog posts have no report button.

Reply
DCfrijoles130 days ago

Does this affect Android?

Reply
redonihunter129 days ago

To some degree. There is lots of shovelware and adware posted on Itch. Some of those might also be serious malware. 

Reply
Andonome95 days ago

Yes, this can affect any computer.

Reply
Hana113 days ago

Thank you! I was already paying attention, but I need more attention...

Reply
Andonome95 days ago

My print-and-play pdf has been flagged. I guess we just wait for mods to verify that it’s fine?

The downloadable game has a redirect link to get the latest version from Gitlab.

Reply
Abood3366 days ago

Can you follow me

Reply
leafoAdmin65 days ago(+1)

Please stop posting here off topic or you will be banned from posting.

Reply
sigmacat49 days ago(+1)

sigma game

Reply
Banana mario42 days ago

hello

Reply
ClickStudios41 days ago

thanks for the tip bro. but i left discord long time ago

Reply
SleepyHollow Games8 days ago

why does this say new when its 3 years old???

Reply
redonihunter8 days ago

Where does it say new? The thread? People sometimes post here, so it gets bumped. Like you just did.

And the scammers did not stop spamming their scams. The thread might also be called: psa, there is malware hosted on itch that was not yet detected or reported.

 The discord approach is not the only method they try to get you to download their malware. I assume all those people complaining about their games not being indexed are side effects of Itch fighting the scammers. Because, why look fishy and only advertise your scam on discord, if you can just plant other scams out in the open. Some of those go undetected for months, as this type of scam has to fight obscurity just like the legit games.

So beware and have a closer look before you run executeables on your computer from an unverified developer. The account might even have been hacked to spread malware - just like the accounts of your discord friends that suggests this hot new game to you or asks you to try their game.

All this is about trust. That is, why the discord scam is so dangerous, because they lull you personally and directly.

Reply
SleepyHollow Games7 days ago

thanks!

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies