Scams involving Discord and Steam are nothing new, but security researchers advise users of both platforms to pay special attention to a new scam doing the rounds.

Researchers over at Malwarebytes found that this time out, the Discord scam wasn't after your Discord credentials. No, the Discord Nitro lure is only a stepping stone to a much tastier and lucrative prize: your Steam account.

Discord Nitro Used as Phishing Lure for Steam Accounts

In short, the scam uses a free offer of Discord Nitro, Discord's premium subscription service that comes with a few extra bells and whistles, as a phishing lure. As it usually costs $10 per month, it's a handy phishing lure against a wide range of targets.

So, how does it work?

A bot or account controlled by a scammer sends an unsolicited direct message to the target along with a message claiming that "If you link your Steam account, you'll receive one-month free Discord Nitro," or words to similar effect. If the target clicks the link contained in the phishing message, they're first taken to a website posing as an official Discord Nitro page, complete with a splash screen advertising the one-month free deal if you link your Steam account.

Related: Discord Nitro vs. Discord Nitro Classic: Understanding the Differences

Users are prompted to hit the "Get Nitro" button to begin the link process. When you link your Steam account to third-party services, a pop-up window appears explaining what you're linking and that you should be aware of scams.

However, a pop-up doesn't appear when you select the Get Nitro button on the phishing page. The page still changes to mimic the Steam third-party account link page, but it's built into the original phishing site rather than accessing the Steam service.

Herein is the actual scam. The attackers want you to enter your Steam account credentials on their site, which they'll hoover up. The fake Steam login page is incredibly convincing, using the proper steamcommunity.com URL you would expect to see, even with fake scrolling options and so on.

Users who enter the Steam credentials in the fake pop-up are met with an error message stating that their account name or password was incorrect when in reality, they were stolen the moment the user pressed Enter.

Steam Accounts Resold in Bundles

Wondering how much your Steam account will change hands for? You'd be surprised at how cheap your credentials are sold off. The price certainly doesn't reflect how many triple AAA games you have, with a Kaspersky report finding that stolen gaming credentials were trading hands for a little as $14.20 for 1,000 accounts.

Related: Is It Safe to Buy Games From Steam?

Four Tips for Avoiding Steam and Discord Phishing Scams

Phishing scams are rife throughout the world of gaming. There are so many users, accessing so many different services, and all it takes is the allure of picking up something for nothing to get people to part with their credentials.

So, how do you avoid phishing scams on Steam, Discord, or any other gaming platform?

  1. If it seems too good to be true, it probably is. That means, if the deal or what you're being offered seems outrageously good, it's likely to be a scam. Take a moment to complete an internet search for whatever the deal is along with the words "phishing" or "scam."
  2. In this case, a one-month free trial of Discord Nitro isn't actually that mind-blowing or lucrative. In that case, you should be very wary of unsolicited emails or direct messages offering you something for free that would otherwise cost money. In addition, messages out of the blue asking you to click a link to a random website should also be avoided as you don't know if that link will install malware, take you to a phishing site, and so on.
  3. Make sure you check the links. While the Steam Community page link used in this scam may appear real, that you couldn't select it to copy and paste is a massive giveaway that something isn't right. Furthermore, the scammers always use dodgy-sounding URLs, in this case linking you to fake sites like "appnitro-discord.com" or "discord-appnitro.com." Both of these links are phishing sites.
  4. Download and install a proper security solution. Malwarebytes tracked and stopped its users from linking to most of the phishing URLs used in this scam, and other security solutions will have done the same. As we've said many times before, upgrading to Malwarebytes Premium is totally worth it.

Everyone encounters a phishing scam from time to time. They're everywhere. What matters is how you deal with it when it happens to you, and if you follow the four basic tips above, you should remain safe.