Skip to main content

Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

PSA: Beware the "try my game" scam Sticky

A topic by leafo created Sep 22, 2021 Views: 133,477 Replies: 150
Viewing posts 1 to 122
Admin (18 edits) (+44)

Malware is being distributed on Discord and other platforms by hackers who ask you to “try their game” by downloading an unsafe executable off the internet. This malware steals your Discord account, hacks your browser, steals payment information, and more. These hackers are using any file hosting sites they can, including itch.io, to attempt to distribute their viruses.

  • If you receive a DM from someone you don’t fully trust asking you to download or test their game, DO NOT DOWNLOAD
    • Even if it’s someone you DO know, if their behavior is strange then their account may have gotten hacked through this scam. Do not download any executables they try to send you
  • On itch.io, it is safe to view the page, but do not download any untrusted software
  • Games that run in your browser are sandboxed by your browser and pose no risk of infecting your computer
  • If you see a zip file that is “password protected” DO NOT DOWNLOAD. Scammers encrypt their zip files with passwords so file hosts can’t run malware scans on the contents. Report this page
  • On itch.io, you can report a page from the link located on the bottom of the page.

Here’s the most common example we’ve seen:

  • Unsuspecting user has the Discord app installed on their Windows computer
  • They receive a DM from someone they may or may not know (it may be someone that hasn’t spoken to you in a long time, or someone from a mutual server)
  • The hacker asks you to test a game they’re working on and provide an itch.io or other link to download the software
  • The software is a program that reads specific files on your computer to steal your Discord API token, your Browser’s cookies, any other sensitive data.
    • They may also delete these files after stealing them, so you effectively get “logged out” from everything after the malware rune
  • In the example of Discord: The stolen API token gives full access to your Discord account with no restriction on where or how it can be used
  • The scammer uses this token to:
    • Steal your account from you (change password, email)
    • Use stored payment information to spend thousands of dollars on Discord Nitro/Server boosts
    • They may message from your account to your friends list/servers with the same or similar message asking others to download the file

itch.io is a self publishing platform open to all, which means anyone can publish a page on our platform at any time.[1] Although we have many automated checks to block or suspend users if suspicious activity is detected (including human review in many cases), not all scans and systems are perfect. We’re releasing this notice along with a few other changes to our platform to educate and help prevent this kind of attack.

itch.io at its core is a public file hosting service. Treat any page you encounter with suspicion if you are unable to vet the creators in any way. If you are concerned about the security of your computer and don’t trust any malware scanners you have on your computer then we recommend you stick to HTML5 games, as they are sandboxed by default. We also provide a Sandboxed mode in our app, but it’s difficult to guarantee security for downloaded software. Your browser is likely the safest sandbox your computer already has.

Note: We will not reveal the specifics of how we handle malware uploads or other illegal activity as it’s very likely the scammers are reading this very thread.

Thanks

[1] Publishing can represent a broad range of states on our platform, from being indexed on our search and browse pages to just having a URL that can be shared. In this case we are referring to just creating a URL you can visit directly by link. In no instances have these pages been promoted by us on any part of our site like the homepage or browse pages

More information about the scam

(+6)

Hello 

Same thing happened to me 2 days ago from this site . A person named snowwy DMed me that if I advertise his game he will pay me and he gave the link to test bugs . As soon as I opened it logged me out from the discord and my account hacked

the link is https://coolcoder1.itch.io/stick-fight

Please remove this file from this site

Thank you

Deleted 96 days ago
(+5)

Hi, to anyone is coming across this, a group of individuals have come together hoping to reverse engineer and disable these scams as soon as new ones come up (they phone home using discord webhooks which can be disabled remotely). We are cataloging our findings on a public wiki. If you have come into contact with a compromised account or have been sent malware, please forward it to us so we can hopefully break it open and render that build inert.

You can learn more or help stop these here: ⭷ https://security.shulker.net/wiki/Main_Page

Shoutouts to: GlitchyPSI, PhleBuster, Vixus, Kibbles, and everyone else helping out!

Admin

Just giving you a heads-up but it looks like your wiki is full of spammers.

(+1)

because my game super slosyto game can not be downloaded the game has more than 3 months in review everything simply because I live in Venezuela and I have no discord please unblock the game please

That URL doesn't exist.

(+2)

Does this affect Linux (Ubuntu) computers?

Admin(+3)

The malware we’ve seen is only for Windows computers, but many of the warnings I wrote about apply to all downloaded software.

(1 edit) (+1)

https://mandagame.itch.io/manda 

edit; thanks for deleting that one, these guys are horrible

https://helpercat.itch.io/helpercat is one of those, please remove it

https://helpercats.itch.io/helper-cat Please remove this file from this site

Thank you :DDD

(+1)

here's another one

https://mercydevs.itch.io/

Got sent to me on discord. The game is in JS and nothing detected it as a virus - I used BitDefender Total Security and VirusTotal (the site)

Admin (1 edit) (+4)

Please report the game page as well, it helps our team quickly respond. If you reply to this thread here only I will get notified. Thanks

(+1)

Hey Leafo, can you help me someone stole my game called Not All There and reuploaded it here https://okpti.itch.io/not-all-there

(+1)

What about if I didn't receive the link through Discord, like this HelperCat game that some people are reporting appeared in my feed as any other. So how can we check this? Running an antivirus doesn't help in all cases

(+5)

Hello, I have created a game and I use discord a lot, I would like to know if there is a way to make a kind of verification so that there is no more this image when I transmit my game via discord.

 

(+1)

I would really like to know this too, I'll do whatever they ask.

Yeah, no solution?

In the end it disappeared by itself after a while

Really...Why there are so many "games"...that they are virus...?

(+1)

Hey, I also created a game - it's not even downloadable since you can only play it in the browser. Is there any way to remove this warning? I want to show my friends, but now they're all too sketched out by the website warning to even touch it. Really disappointing. 

Me too it's really frustrating

Yes it is /:

(1 edit)

I found another scammer one just today https://evadevs.itch.io/cyberika

(+5)

This is such a shame, now people won’t have trust for actual developers  :(

但我们别无他法,无法与他们抗争。

I got scammed another way via a hacked friends account and a suspicious website but I got refunded

https://trabusvr.itch.io/trabus

https://zinetragames.itch.io/tribus-gamebynetra Yea, this one got my boy. My innocent boy.

just letting people there is another one being sent around, https://hexagondeveloper.itch.io/  at least i think it might be, thought i should let you guys know

Hello, i am starting to go into gamedev and would like to ask if there is any way to make downloads more safe. Like i don't know how it works, since i yet need to publish a game, but which download site would be better to guarantee the safety of the user? Like google drive, or other form of download? Because i wouldn't like to scare people away just because i am new and don't have a lot of content.

(+2)

itch.io is safe but scammers are using the name to scare people

i think the best you can do if they still think you're trying to hack them is show the people footage of you running the game you sent them in dm's

you could also ask close friends to look at the game, chances are they'll know its you just by reading your speech patterns.

Deleted post
Admin (2 edits) (+1)

Assuming there are no issues with your account’s standing and the page in question, the warning should clear up within a few days. If you are still having an issue you can contact support.

Sadly we can’t share details about how the warning works because scammers literally joined our discord making believe to the legitimate developers seeking information about how it works trying to reverse engineer the system to continue distributing scams.

For others reading, only a small set of users are impacted by this warning message.

Thanks!

Friend of mine got her account stolen 2 days ago because of the discord scam, but the ''game'' also tried to steal her Roblox account for some reason.

https://terabyt-development.itch.io/super-cave-boy
not sure if this is a virus or not but better safe than sorry

(+3)

it is, I got nailed by this today... Last time I'm ever being helpful to someone I don't know IRL

https://arsenaldevlopr.itch.io/ is another malware link

It is not enough to shut down the Itch pages, they just change the download link on the Discord servers they recruit to. Please coordinate with Discord to get the Discord servers doing this shut down as well. Discord hasn't shut down the server I reported days later while Itch shut down the fake Itch page. Who can I speak to at Itch about this?

Admin(+3)

We’ve communicated with people ask Discord about the issue and shared as much information as possible. We have made substantial changes to our process around reviewing pages and are actively responding to those who still try to set up scam pages. It’s not clear what changes, if any, Discord has made around the issue.

(1 edit)

Thank you for the hard work, leafo and all the staff at Itch! I know this announcement was posted weeks ago, but a good number of us weren't aware of it (I don't have Discord installed and I don't pay for Nitro). 😰

I'll do my best to try to send this to all the other devs at the other server. Thank you for sharing and I hope this blows over soon!

(+1)

Malware here: https://asurad.itch.io/cold-crystals

(+1)

https://itch.io/profile/akitarsal
Got one right here for you.

i think what makes this whole situation worse is discord won't do anything about it

as far as i know i know they are upgrading scam link detection but i still think its very wrong of them not to take action.

which if they are helping victims who have been previously hacked, they SHOULD say something about it so people know "hey we're aware of the hackers, we're taking care of it." but they choose not to.

https://test-development.itch.io/move-worlds

This user was DMing our server users to test

https://test-development.itch.io/doki-literature-club

We banned them.

Admin

Thanks, do you happen to have the discord username/id? You can send it to https://itch.io/support in private, reply to me with the ticket ID if you sent it in

I'm glad that I didn't run on this Discord issue (or at least, I believe so) . But I got hacked past year too, someone managed to invade both my Instagram and Facebook accounts. I know they had stolen my (old) password. I'm a bit worried about if they managed to stole other passwords of mine and have invaded other accounts than these I mentioned.

https://pastaaghi.itch.io/pastaghi

This is why I prefer browser games, since I have a phobia of computer viruses and hackers.
I think it's sad that Itchio seemingly don't have a check or moderation process like Steam has for publishes

Exactly, there isn't any check for the games. You can upload what ever you want.

Please remove this. Another scammer

https://clasus.itch.io/kingsgold

(+1)

On this site I got hacked and they stole my discord, not only that but they stole this itch.io account as well and published the virus from this account. I changed the password back but I'm worried that they might have taken some other information that I'm unaware of. I reset the password for this account and hid the 'game' they uploaded as well as made a support ticket for my discord. Are there any other steps I should take? I reset my PC completely so I don't think they can get anything else. But if there's anything else I need to take care of I would like to know.

(+1)

Did you put your address in here? They may have that but if you put it on credit card information on Paypal/stripe than they didn't.

Fortunately I haven’t put any personal information in my itch.io account and it’s connected to a spare email so I don’t think they have got anything valuable, they did post a game which I removed. Thanks for the telling me, I was worried about it but it seems like this and discord were the only things they took.

Here's another one https://3dgirls.itch.io . This as an imitation of a game by Killer7 that he's not releasing publicly. He posted on his site that it is a scam. I didn't know it it had been reported to itch or not.

Here's something I found. https://viselalune.itch.io/a-fathers-sins . The game was published by pixelblink. I suspect it is an attempt to load malware, since the file size is larger than the creator's.

Hi. I recently got asked on one of my YouTube videos to try a game on here called Mandela Corruption, me being a newbie on this site I obliged, downloaded and recorded the game and was going to upload it to my channel but when I tried to look for the game, it has vanished.  Does anybody have any ideas about its authenticity, or was it a scam?  As soon as I finished playing the game I did delete it! 

Someone DM me to test their game : https://pdv-team.itch.io/tanks-blood-mania. An hour later the same person told me that it wasn't him that send these messages and that his discord account was hacked and just recovered it. The images are stolen from another game too so prbly a Virus as well.

Admin

The account has been disabled, thanks for your report.

(+1)

I found another potential try my game scam 

https://luckyducky3.itch.io/tank-bloodmania

Hi ! Can you add me on Discord to share me the file itself ? I'm trying to see what's inside the code of this trojan to report the to the authority (I have been scammed thought this process too but with a new game called "GalacticValley"). My Discord account is ส็็็Codix#4833

Hi there !

Same as above, someone from a shared small Discord DM'd me and asked me to test their game behind a password protected archive, the name and url is very similar to the one above (https://pet-team.itch.io/tanks-bloodmania) so I suspect it's the same guy(s). Had heard about this scam recently on Twitter so I did not fall for the trap but some might not be as self-aware

Hi ! Can you share the password so that I can download it to see if it is the same author and also report it on virustotal ?

The password was "TANKS" iirc

I can't access the page, do you still had the file ? Can you share it to me ?

I never downloaded the file, and I guess the page got shutdown ? Idk.

We just had someone trying this as well in our discord. I can't confirm but I googled him and found this twitter which leads to an itch.io, the minute you don't agree he starts berating you.
Discord: IseGuy#3384 (Confirmed legit discord user, not new/throwaway account)
https://twitter.com/zuhayrimohamed
https://itch.io/profile/vazsun
The account may be compromised or the account may just be a copy.

Deleted post

https://riststeams.itch.io/tanks-bloodmoon i think this might also be one of those fake games. a friend sent this to me, the page and the rar asked for passwords. only used the password for the page but not the rar so i think i should be okay.

https://strixteam.itch.io/tanks-bloodmoon can confirm, i got this from someone as well, i immediately noticed the red flags and thankfully didnt click on the link

https://strixteam.itch.io/tanks-bloodmoon remove this as well, directs to the same "game" as above

(+1)

Got this one this morning, same deal https://incalexteam.itch.io/tanks-bloodmoon

Not often that I post here, but figured that since it's an ongoing theme, i'd help the cause. Current link is https://quinteam.itch.io/tanks-bloodmania, and the password is TANKS123. Seeing how the friend that sent it hasn't messaged me for 5 years....was kind of obvious it was fake XD But I will admit, after chatting with the scammer, they've improved, actually kept up a decent conversation with them

So does this get read or how does this work?  Because everything below that post 164 days ago is still online. Or so it seams.

It leads to password protected sites. And the thing is, you cannot report those pages, without the password. So if the actual scammed people did not click on report, there are no reports. And I believe scammed people have other things to do, shortly after being hacked than to think about going back there. Maybe they even forgot the password to access  the site. Especially if they copied it from discord and now have lost access to that.

Also, the people that got suspicious before, will not even go there and click report. They might not even know itch, unless they got the discord invite from here.

https://insalexteam.itch.io/tankie happened to me as well, ran the exe which stole my discord account and compromised two emails.

https://itch.io/profile/ahmettaha

This one is desperately spamming every game community to get people to download a very suspicious game, I think he stole this (paid) game:

https://store.steampowered.com/app/813700/Sakura_Sadist/

Not even sure if the download link will lead to the actual game or something worse...

I JUST WANNA PLAY PT ONILE

will this not prevent game promotion? 

(+1)

Then how do we promote our games. This will prevent download 

good Question. But do you think spamming random people on discord is a good way of promoting your game? would you try games or would you feel spammed by such requests?

that's true, thanks

https://insalexteam.itch.io/tankie

https://incalexteam.itch.io/tanks-bloodmoon

https://quinteam.itch.io/tanks-bloodmania

https://dxv-team.itch.io/tanks-bloodmoon

https://strixteam.itch.io/tanks-bloodmoon

https://riststeams.itch.io/tanks-bloodmoon

https://pet-team.itch.io/tanks-bloodmania

All of these links above are still operational and lead to a site that says password protected and those cannot be reported. 

Admin (3 edits) (+1)

If you have the password you can report the page by entering the password and using the report link on the page. Keep in mind that in the case where we suspend pages, it may still show the password prompt but the page itself is not accessible at all, entering any password will fail.

(+1)
in the case where we suspend pages, it may still show the password prompt but the page itself is not accessible at all

aaah. that would explain it.

If I were to implement it and delete/suspend a scammers page, I would host a "you fell for a scam, be more careful next time" page for a few weeks to educate the potential victims. If they just see nothing or nothing after entering password,    they might even naivly ask the scammer for a new link.

I feel like this game is also causing people getting hacked, cause someone tried hacking me with it.

https://tbmteam.itch.io/tankbm

What is the password to the archive?

I can take a look at it in a VM

haven't gotten into the archive, but the password into the file was "TBm123"

it is down already but I suspect it would have been either the redline stealer or the lumma stealer

ahhh, okay. thank you so much!

Deleted 227 days ago

when i scam is trying to get me i will report it to the moderators because thats what i do

(6 edits)

https://itch.io/profile/xpsycho

appears to be an account stolen using the try my game scam, now being used to proliferate the scam.

ETA: Another account got caught by this same scammer and is now being used as well:

https://itch.io/profile/tonythepoisse

These have been spamming an NSFW version of the scam on SFW game pages.

Edit 2: Thanks.

https://frostprojects.itch.io/tempo-quest  This one hit a friend recently

(+1)

https://tempooteam.itch.io
https://tempooteam.itch.io/tanks-bloodmania
These ones trying to steal my discord be careful alwaqys the same tank game

(4 edits)

Next round of NSFW try my game scam on SFW pages:

https://itch.io/profile/werty-l (username changed, now: https://itch.io/profile/frost555lol)

https://itch.io/profile/lowfi123

Impersonating Sakura Sadist by Winged Cloud.

TIA for taking out these scammers. I know reports on comments go to page owners, and I'm not really comfortable going to the NSFW page to report it. Out of curiosity, do reports on game pages go to the page owner as well?

do reports on game pages go to the page owner as well?

If you talk about the report button on game pages, that would be quite funny, if that report would go to the page owner you are complaining about.

Just click the report button if you stumble upon such scams. You can scroll down really fast or use an incognito browser, depending why you are uncomfortable visiting such pages.

They usually have two accounts. One new and one hacked.  One account hosts the game and the other spams. If the hoster gets banned, the spammer then hosts the game. I assume this is because it is difficult to report the spammer. As you have pointed out, the reports go to the game page owners. You cant report users directly to itch with report buttons. there is moderation in between. A reason why these scams often happen around weekend I presume.

the report button on the game page is indeed what I meant, sorry if my wording wasn't clear.

Two more accounts doing the "Try my game" scam, one that appears to have been stolen by the scam and one by the scammers.

https://itch.io/profile/xpsycho

https://fignats.itch.io

I have a game that just isn't practical to be a webgl.  What's the best way to show people that the download is trust worthy?  On steam there are different people who are well known for making sure all of the steam awards work.  Is there someone on itch that is reliable and tests games to make sure they're not malware who could give a review or something?

Not having a password protected archive, not having exe that require admin rights, being careful about stuff like runtime compressing giving false positives, hosting on itch,  etc.

Scammers like to post on hacked accounts, so an established account is no guarantee for trust.

What you ask for is something like a human tested approval badge. With current itch system that is not possible. Reviews are not public in that sense.  In theory you could be on public game collections to that effect. But on a game page you can not check, if the game is on such a collection.

Scammers also got more clever by allowing comments, they just delete  the comments of people giving warning.   And posting comment with, this is legit good game, no viruses, I promise... yeah. That is what a scammer would say ;-)

There is a reason why publishing on steam costs money.

Dang.  That sucks not having an approval badge or something.  Okay.  Thanks for the advice!

I found one of these scammers trying to pull this on me

https://deadtrigger-pc.itch.io/deadtrigger

the page isn't up yet but maybe you can find them

https://hatanopowell.itch.io/maritas-games
take this down please, thanks!!

https://triasels.itch.io/selatria-beta

The page is currently password protected but the messages I got line up pretty well with how this scam normally looks.

Admin

Thanks for the report. The account should be taken care of.

Hello, I just be scammed with a friend, there's two links: 

https://zeroinvadersgame.itch.io/zeroinvaders
https://tuesdayquest.itch.io/a-planet-of-mine

H
ow to do right now ? We remove the file, there's one process call WindowsBootManager a video game, we remove it too, what to do ? Change passwords on every website save in our website ? We already change password for discord, paypal etc. 
I feel like my computer is a bit slower right now, but I'm not sure so what to do please ? 

How do you know you been scammed?

If you believe you were, changing passwords is a good start. But maybe not do that on a system you think is compromised.

Booting up with a secure boot disk or usb stick and scanning for hidden surprises and otherwise scanning your system thoroughly might help too.

I tried three different scanners, and the file you claimed is a scam, was not recognised as such. Of course I will not execute it to check if it silently steals my passwords anyways. If it really is a scam, this is worrssome.

There's has to be a better way to avoid this scam and another better way to actually get your game tested without all your stuff getting stolen and not having

to spend a lot money on game testers.

Show post...

yes, it is

Yeah.. I got hit by this. Scary stuff :(

(+1)

Thanks for the warning. I'll be more careful. Although the Internet is a dangerous place - everyone knows this.

I'll just push this virus to my good friend

(1 edit)

666 by readyygames (itch.io) , he tried but i exposed it immediately

ok

returnswords by returnswords (itch.io) They're doing it by the book.

(4 edits) (+1)

Discord scams are rather easy to notice - if you have heard of them before.

What is harder to spot is fake projects. They sometimes slip through and get unoticed or rather unreported. Sometimes for weeks, sometimes months. Ironically scams have to face the same hardship all the real devs have to face. Too few visitors. And as with ratings, like most people do not rate, most people also do not hit the report button at the bottom of the page.

So basically it is like a minefield. I have even seen scams where they impersonate publishers that are on itch. Or were. Hard to thell, if there is occasional deindexing R-82637 was such a case.

And it is rather erratic how long it takes to remove the fake projects. I understand that there should not be information given that the scammers could react to. And that there are different stages of removal.

yeah, there is a issue with people uploading pirated games

If you see a pirated game on itch, chances are about 99% that it is also malware. And if the account is older, then chances are very high, that the account was recently hacked.

But I also seen complete fake games here, with random or ai made screenshots. 

Also the criminals try every variation. Even faking comments and ratings. I kid you not.

The detectors used by itch will not catch all. They are soso. And also there is the user angle, like prompting the user to do something or simply downloading the malware from somewhere else and disguise it as an update function. Or simply point to an external hoster in the first place.

The only protection if we wanna call it that, is the fact that the criminals face the same problem all the real developers face. Attracting people to their games. Unfortunately that also means, that there are some time bombs in the itch archives. If the fake game was not attractive enough, maybe no one reported it. I seen stuff that was older than 6 months.

You take too long to act on reports. R-84586 for example. It is not weekend. That is 60 hours and counting.

And regarding weekends, you have to solve that problem too. You allow malware spreaders to do their thing unprotested, just because of what the calendar says.

Users that did notice that something is malware cannot even give warning to other users, because there are no public reviews attached to a project. And comments can be deleted by the developer.

As it is now, you should give a big warning message like that quarantine message for each download and doubly for each external link.

What is more important? Not delisting a game for manual review, because the report might be in error or even malicious, or allowing a potential malware to continue to spread being under the umbrella of appearing legit, because it is hosted on indexed on itch?

If you do not have such a system already, fastrack reports of "known" reporters, maybe even to auto-delist a reported game, if the report cannot be processed by staff within minutes.

And should you have a system of protecting accounts against reports, just because they are older, have 2fa, payment information or whatever, scratch that system. It is contra productive. The scammers use hacked accounts for a reason. And the hacked accounts prove beyond any doubt, that there is a huge problem.

You need to fix this. This is not a one time occurence. It is a systematic problem, and the criminals are exploiting it. R-84776. Are the reports not believed? Is information missing? Are other things more important for staff to do than protecting the users of this site against scams?

What the hell is with the weird trend of user profile pictures being of small children on twitch and elsewhere just like the Original poster's profile picture back when the OP was made? 

It is a systematic problem

R-87841 R-87648

The systematic problem continues. I do not know how your system works, but I do see that it is not effective.

R-85035 might also be because of the same systematic problem.

Yes

Deleted post

The interesting part is, that the original was hosted on itch too. And he did not say, that he got the link on discord. He said he was browsing on itch. 

It is not merely a try my game problem. It is a malware is visibly hosted on itch problem - and too few people notice and report the scams, meaning, that there are "old" games hosted on itch that are malware.

There should be a warning message for all downloads here. I am serious. People should be made aware that itch does not in any way has even the slightest guarantee that the person uploading the game is the real developer and that the game is not malware or pirated or both. This psa is all good and well, but how many unique users did read this?

Oh, itch does remove things, and I guess many things are not even indexed to begin with, but there are things released without indexing as in the "classic" try my game scam and with all those scams, some of them do get indexed, suggesting a false security as new users do think that games are scrutinized by staff and are thoroughly scanned - and what else should they think?! Itch is not some shady message board. But unfortunately, whatever security measures there are, they get penetrated on a daily basis and it takes user's reports to take down malware after the fact.

The problem with indie games is, that many popular game engines and homebrew solutions tend to provoke warnings, plus games from amateurs are more easily forgiven to be buggy. So when something funny is happening, the first thing people think is not: oh, crap, that's malware. It is, oh well, amateur developer, can't be helped, I just try again. It is just that that youtuber described it. He noticed the scam only, after he got warning that his accounts were compromised. Despite having system warning messages and strange behaviour. Imagine how long it would have taken to realize it, if the scam would have included an actual game bundled with malware...

Deleted post

They could at least give some "trusted" users the ability to quarantine games, to shorten the exposure from the start of a report to the time staff reads the report.

And they do not even have to tell those users nor trust them. If you make a report while being logged in, they know who made the report. They could easily have a running average statistic about the quality of those reports. There is subcategories for reports and a malware category was introduced, so even that can be sorted accordingly.

So even if that user has a crappy ratio of 1 false report in 5, I would rather have 4 malwares being quarantined immediatly and 1 legit game queued for staff inspection than all 5 being visible, despite a user noticing that there is suspicous activity.

Oh, and there are legit games in quarantine all the time. What is more important? Protecting the users that think itch is a respectable site that hosts no malware or protecting the few games that get reported in error from being quarantined for a few days, till the misunderstanding clears. It might be a bad experiecne for a new developer to be quarantined, but I believe the experience of being hacked is far worse.

The issues is as follows: too few users checking out games to begin with. The scammers face the same problem as all the indie devs. Getting people to download the project. So if real developers barely get some downloads let alone ratings or comments, the time bombs uploaded by the criminals have it equally hard. So reports on malware should be treated with that in mind. I saw a year old project where people openly talked about the scam being a scam, but none of those people apparantly found the report button at the bottom or bothered to report. 

Dominic 


HI

R-94456

This looks like a specific discord credential stealer. One scanner calls it  Python/DiscordBot.FF another one PYC/Stealer.A.gen!Camelot

The concerning thing is, this is out in the open. Indexed for months now. Even some comments talking about how something is fishy with the description. Why did those commentors not report the fake game? It is of course a horror game, as Itch is a hotspot for people trying out indie horror games.

It also begs the question, why the scanners used by Itch does not catch those things. Oh, I can explain it logically, but emotionally it is outrageous. There is no regular manual review of uploaders or uploaded content and the automatic process might be good, but not good enough. (Oh, I guess they just upload 100 malware and if 5 get indexed they know what the scanners will not recognise. It would be trivial if you think about it. I have also seen malware that did not get recognises at all on that internet scanner that uses 70 different scanners).

Anyways please make the situation better. It is heart breaking to see all those hacked accounts every week, which proves, people do fall for the scams.

And for anyone recognising a scam, please do report it. Itch is abused by scammers all night and day and if no one reports the scams, they will not get removed. My oldest seen scam was two years in the open.

You should give priority to reports from sources that made valid reports in the past. Reports are rare, as seen in the example above. Other people saw that the fake game was suspicous, two even commented. But how many reports did you get on this?

Same as you should deprioritze reports from sources that made invalid reports in the past, to declutter the things staff has to do.

Oh, and there is a "new" method of scamming. It is unattached blog posts with a link to malware on the bottom. Those are harder to report, because there is no report button. Those blog posts are not even searchable. But they do get listed in regular search engines and look somewhat legit, since they are hosted on Itch.  Request 219519 has some of those, since it is hard to report them, as blog posts have no report button.

Does this affect Android?

To some degree. There is lots of shovelware and adware posted on Itch. Some of those might also be serious malware. 

Yes, this can affect any computer.

Thank you! I was already paying attention, but I need more attention...

My print-and-play pdf has been flagged. I guess we just wait for mods to verify that it’s fine?

The downloadable game has a redirect link to get the latest version from Gitlab.

Can you follow me

Admin(+1)

Please stop posting here off topic or you will be banned from posting.

(+1)

sigma game

hello

thanks for the tip bro. but i left discord long time ago

why does this say new when its 3 years old???

Where does it say new? The thread? People sometimes post here, so it gets bumped. Like you just did.

And the scammers did not stop spamming their scams. The thread might also be called: psa, there is malware hosted on itch that was not yet detected or reported.

 The discord approach is not the only method they try to get you to download their malware. I assume all those people complaining about their games not being indexed are side effects of Itch fighting the scammers. Because, why look fishy and only advertise your scam on discord, if you can just plant other scams out in the open. Some of those go undetected for months, as this type of scam has to fight obscurity just like the legit games.

So beware and have a closer look before you run executeables on your computer from an unverified developer. The account might even have been hacked to spread malware - just like the accounts of your discord friends that suggests this hot new game to you or asks you to try their game.

All this is about trust. That is, why the discord scam is so dangerous, because they lull you personally and directly.

thanks!

hey my friend over here at https://cubestuffreal.itch.io/cag-cubes-and-guns
and myself
we are not a part of this scam we didnt know it even existed
me and my friend just advertise our games at discord
and make servers for those games
we are litterly not a part of this scam thingy

soooo unquarntie the page
i alr played my friend game and it is fine
checked f12 it doesnt fisch passwords or anything

How the fack did your System Moved my games to quarantine, Like they have a virus or not? Especially if I tried to upload a new game. I checked, They can't have a virus to just facking Hack Discord accounts or something

I see 11 games on your profile. 2 are not indexed. None are quarantined. So, what exactly are you talking about?

To anyone else who finds their game in quarantine:

This PSA might be years old, but malware is uploaded to Itch on a daily basis. Not all of those are advertised as a discord scam. And this means, that Itch has to do something against those fake projects. One thing they can do, is to check for suspicous activity and when in doubt to quarantine a project till a human can inspect it. It is a nuiscance when you are a developer, but it is an even bigger nuiscance to get your computer hacked from a downloaded game. Maybe also read here: https://itch.io/t/4120453/game-quarantined-search-or-indexing-problem-read-this 

(1 edit)

Well, I restrict 2 games about "Michael Myers", because they are in quarantine. And of course my mobile game "2014 Incident - Android Version" in quarantine. That's Why I'm exactly talking about. At least I checked this post and read it. And I don't know what will happen when they Check. Look, If I can bring back my Halloween games, Can you then remove from quarantine? I'll check them on virustotal

I do not think that complaining about the quarantine will make Itch staff work any faster. And Itch staff is whom you would have to talk to. Not to people commenting on a public message board. You do not know why your games are quarantined. Staff will sort it out, eventually. Give them a few weeks.

And for your information: there is malware that will not even get detected on virustotal. I have seen such. Published on hacked accounts. Why do I know it was malware? Because the account it was published on, was a hacked user account among other things. It problaby would have downloaded the actual malware later. And this (the hacked user accounts) is the reason why I welcome a sensitive quarantine system. I only see the hacked accounts with indexed malware that were not quarantined and those are plenty. So if their system catches some false positives, bad luck for those devs. They have to wait till it clears up. The alternative is even more hacked accounts with new malware distributed, if the automatic is not sensitive enough.

This thread is a public service announcement about a scam that was popular three years ago. It might still be popular. Typically they are/were restricted games and a direct link with password protetected file would be advertised on discord. To try the game. For testing or whatever. But this is not the only method by which malware is distributed on Itch.

To quote from the initial post: 

itch.io is a self publishing platform open to all, which means anyone can publish a page on our platform at any time.[1] Although we have many automated checks to block or suspend users if suspicious activity is detected

The bold text is what probably hit your games and put them into quarantine, till staff will sort it out.

Admin(+1)

You previously were uploading games by other people so your account is on “high risk”.

(1 edit)

"High risk"? But How Can my games can be by other people? Look, if you don't like what I'm doing, I can remove it, and then we can End here. 

Eventually, I finished posting something and I don't do it anymore


(I wanted to ask for help and there is 😔)