Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags
0

Itch is not a safe place. Do not download things.

A topic by redonihunter created Feb 16, 2024 Views: 3,208 Replies: 18
Viewing posts 1 to 9
(1 edit)

I am serious. The amount of fake projects is scandalous. I am talking about indexed projects that are unchallenged for months. And even reported projects stay unquarantined and sometimes indexed for weeks.

Most of those things are uploaded on obviously hacked accounts. The problem is not something simple as a try my game on discord scam, where you get a password for a rar archive. It is the let's browse shiny new games on itch minefield. The malware will take away your itch credentials (cookie theft) and not even 2fa will protect your account. And who knows what else they do.

Since some of those hacked accounts have had payment options, some of those scams have pay what you want active, sometimes even paid only. They have fake ratings sometimes and sometimes are not reported, so you can encounter a scam that is half a year old or older.

Fortunate for many players, the scammers most often target adult games. But I have also seen regular indie games, that were released on Steam.

So if you are unsure about a game, trust your scepticism. And if you are sure it is a scam, report it. I saw games with comments about it being a scam, but apparantly the users did not bother to click the report button. The scammers are experimenting with all sorts of variations in their publications. And this sometimes includes impersonating the original creator by linking sites of the original creator.

Oh the games might be real, but at the very least they are pirated, and at the worst you get infected with malware and as a bonus your itch account is used to spread more malware.

General tipps:

If it looks too good to be true, it probably isn't. Seeing a finished game here for free that is paid on Steam? Obvious fake.

Use the itch app sandbox mode. Or create your own sandbox mode (use the internet to find out how. It involves creating a new user on windows that has a password and starting the not yet trusted app as this different user. This way at least most of your stuff should be safe-ish.)

One method of detection avoidance is to not have the malware in the downloadabe, but prompt the user to download additional stuff.  So be very suspicous, if you have to download other things

While some legit games do provoke a warning message from antivirus, guess what a scammer would tell you about that message. Right. Never trust an unknown person on the internet that tells you to shut off your protection. Triple check, why the message appears. On hopefully rare occasions even legit devs could have their development computer hacked and they unknowingly uploaded malware.

There are many red flags and some green flags for games. I shall not talk about them in detail, lest the scammers upgrade their schemes. But if you regularly browse new games, you will notice patterns. Be careful. They do also appear in new&popular. And in popular if you select tags with few hundred games.

But the best green flag is a game that is alive. Not old and undeleted, not having a dozen fake ratings, not being posted on an old hacked account that still has followers and even payment possible, not having several games posted in a few days, not having links to patreon and twitter, but alive in the sense of having an active community and surroundings. 

---

For any admin reading this. I collect them in a private collection. Accounts get hacked right and left. Please do something, anything to protect the users of this site. Whatever you are doing now is not working good enough.

https://itch.io/c/3438002/spammers-reported

I havent been seeing scammers lately so maybe thats a good thing.

One could read your statement in three ways.  ;-)

1. You do not recognise the scams.

2. Where you look, there are no scams.

3. You look where used to be scams but are not any longer.

My list grew by 7 reports since your posting. Some were obvious malware, but sadly the scanner on my system would not have detected it. virustotal also only had a few that saw through the obfuscation. It is a variant of a known trojan. The sandbox method might have protected at least the data of the user. But I am not sure about that, because the infection method seems to exploit the update mechanism of Chrome to infect your system the next time you start. So you will not be immediatly hacked and may be not sure what infected you, afterwards.

To clarify: there is uploaded malware daily on itch. Malware that is indexed. Developers are not verified. And the scammers work very hard to overcome any obstacles like automated scans. They have a very short feedback cycle. It is trivial if you think about it. Upload malware, see if it is indexed or at least not banned. Yes, continue. No, try a different approach to hide the payload of the malware.

Itch is a honey pot for them. Lots of people trying out executeables from unknown developers. Some of the legit developers even telling the users about false positive warnings of antivirus apps. It is a minefield for users. And the scammers do experiement with AI on occasion. As long as it pays off, they will continue.

Since I doubt that itch will introduce a paywall for developers anytime soon, it might only dry out, if there are too little scam victims to justify the effort.

They kinda did dry out a certain method of scams that involved fake download buttons. Never saw one of those, after itch introduced special markings for external links (but the three reasons above apply here too ;-)

Yeah. I meant as in wherever I look there are no scams.

The sad truth is, all the people that did get infected and hacked did not recognise those scams. Obviously.

I don't blame them. Itch is a legit site. One would not expect malware here.

I do not know what can be done about it. On the cheap, that is. But I would start with better account protection, like detecting the hijack.

On client side, people can be more careful and mistrusting. But for that they have to be aware of certain facts. Really aware. Like people being too lazy to report scams and scammers being able to upload them, because developers are not verified and automated scans can only detect so much.

So my best advice is the title of this thread. Do not download things. If you are aware, you will be more sceptical about any gifted horses, there might be trojans hiding inside.

(1 edit)

I must agree. Anyways, I have something you might like.

(1 edit)

Another tactic I have seen is these hackers would message people on other social media websites (Discord being a common one which I have seen this on) saying that they have just made a game they would like you to play and give feedback on, sometimes these Discord accounts are hacked accounts, sometimes it will be a friend of someone they have hacked which will ask them to play their game which helps the fake game look more legitimate and more trustworthy to download.

I believe the malware with this tactic typically targets Discord accounts instead of Itch accounts, although it could indeed target a lot more, either way it is another tactic to watch out for.

The thread below actually gives a lot more detail on this scam:
https://itch.io/t/1659440/psa-beware-the-try-my-game-scam

I have no intent of giving someone malware. The game I sent is a legit game. And if you dont feel safe downloading it, its even in web browser. 

I actually made this thread to point out that the "classical" try-my-game-on-discord-scam is not the only method used and give some general tipps. It is not necessary for the scammers to socially target people and distribute password protected links on Itch. They can just spam their projects in the open. I saw several times the original and a fake shown up in a search side by side. It is just sick. Only last week I saw a fake game aimed at children.

And itch is indexed on regular search engines quite fast. So de-indexing does not even help much. People can find the scam site by accident by googling some indie games.

This might also be the reason why there are so many fake blog posts on Itch. The scammers not only post projects, they post devlogs with links to malware in the guise of some game announcement. I saw such a fake account with over 40 followers. How ... what ... I cannot understand this.

I'd also add that if you're a developer do not download games with your developer account, that's their jackpot, after all the best way for them to disguise their scams is when they steal a legit account.

That explains the hacked accounts with the followers and payment options cleared.

But for the methods they use for hacking, I doubt that it would make much difference. The downloaded malware is not aware that it was downloaded by any itch account. It just steals what it can get and does whatever else the malware does. It surely targets itch credentials, stealing cookies and making 2fa ineffective.

If there is no root kit and escaping with it, at least sandboxing would protect the credentials.

The collection above grew by like 50 items or so.

It is disheartening to see reported accounts publish yet another indexed game a week or more after being reported.

Or see original games here not on the index and the fake getting indexed or both appearing in search.

About 80 games on my list still exist. Oh, the older ones might be quarantined. But you can still download them, and the malware spreaders could use direct links and tell the gullible player some story as to why that message appears. It is not unusual to have false positives for indie games.

Whatever itch is doing to protect their users, it is not good enough. There are demonstrably several hacked accounts every day. It is as if there is no account protection whatsoever! And who knows what happens on the hacked systems. I have doubts that the payload is stealing credentials for an indie gaming platform.

And I shudder when I think about all the old scams that went undetected. It is a minefield.

And I shudder when I think about all the old scams that went undetected. It is a minefield....

The last weeks I saw a few that were over two years old. Sitting here, unprotested, waiting to infect a new unsuspecting user, trusting that a 2 year old game on a legit platform like itch could not be malware.

A minefield it is.

(1 edit)

This is defiantly disheartening to read ,I downloaded couple of games off here and while they are safe(because I have  semi follow the creator's work),it's definitely putting me on edge to download games anymore especially off here.It doesnt seem worth if every game has high possibility of being a virus.

The best method I have come up with when first coming across a game is to check creator's previous work or see if the game has videos on it.If it does and I like what I see.I will download it and put it through couple of antivirus scans

The scammers try to fake everything. But what is hardest to fake is an alive community. This is especially hard on new developers, since they struggle to garner a community of players.

They know why they publish their scams on hacked accounts. Those look a bit alive and are older, some even with published projects and a dozen or more followers. Payment options are also in the account, so there are paid and pay what you want scams around.

The scams uploaded here often do not get detected even on virustotal, where they use like 70 different scanners... 

Sandboxing seems the way to go for not yet trusted developers.

I am bit hesitated to use sandbox but I will keep that in mind.I also check the comments in the games though its hard for me to tell because for all I know the scammer could make fake account and fake alive community who loves this game....that's what scares me the most about downloading stuff from here

Deleted post

I am tired. My collection of abuse of Itch's service has over 500 entries :-(

And there is not any sight of improvement of the situation. Not only are most scams on hacked accounts, - let that sink in for a moment - Itch takes too long to act upon reports. In the meantime the scam pages get indexed on actual internet search engines. Some even garner followers on Itch.

If people look for games, Itch ranks very high in the results. Just recently I found as result #1 the Steam page and #2 the scam page on Itch.

There are different kinds of scams or shall I say malware delivery schemes. One nasty bit I saw recently used a children's franchise to promise a game. I would very much like to know how long the acceptabe timeframe is, to remove crap like this after a report. And as a hint, there is a filehoster that does this within an hour. And google & co will take also a few hours or less to feature scams on their search results. So how long?

I guess the scammers use some loopholes, but still, something should be done. How many hacked accounts are acceptable? I would not beat that drum so much, if the scams were just posted on fake accounts. But seeing them on hacked accounts is heart breaking.

Oh, and if I look at scams and non-scams and their gain in followers, there obviously are many people mistrusting the scams. If you suspect a bad actor, please hit that report button and write to itch why you think the project is fishy. Their automated systems obviously did not catch it, otherwise it would not have been indexed, so they need to get reports on the scam. I really did see some scam indexed for months with people talking in comments about it being a scam.

It currently is better. I hope that sticks and means that Itch catches them much earlier, and does not just mean that the scammers hide the scams in other ways or other places. Or are on a holiday.

Automatic checks can only cover so much, so if you have reason to believe something illicit is going on, you should report it with your reasoning.