Skip to main content

On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

I havent been seeing scammers lately so maybe thats a good thing.

One could read your statement in three ways.  ;-)

1. You do not recognise the scams.

2. Where you look, there are no scams.

3. You look where used to be scams but are not any longer.

My list grew by 7 reports since your posting. Some were obvious malware, but sadly the scanner on my system would not have detected it. virustotal also only had a few that saw through the obfuscation. It is a variant of a known trojan. The sandbox method might have protected at least the data of the user. But I am not sure about that, because the infection method seems to exploit the update mechanism of Chrome to infect your system the next time you start. So you will not be immediatly hacked and may be not sure what infected you, afterwards.

To clarify: there is uploaded malware daily on itch. Malware that is indexed. Developers are not verified. And the scammers work very hard to overcome any obstacles like automated scans. They have a very short feedback cycle. It is trivial if you think about it. Upload malware, see if it is indexed or at least not banned. Yes, continue. No, try a different approach to hide the payload of the malware.

Itch is a honey pot for them. Lots of people trying out executeables from unknown developers. Some of the legit developers even telling the users about false positive warnings of antivirus apps. It is a minefield for users. And the scammers do experiement with AI on occasion. As long as it pays off, they will continue.

Since I doubt that itch will introduce a paywall for developers anytime soon, it might only dry out, if there are too little scam victims to justify the effort.

They kinda did dry out a certain method of scams that involved fake download buttons. Never saw one of those, after itch introduced special markings for external links (but the three reasons above apply here too ;-)

Yeah. I meant as in wherever I look there are no scams.

The sad truth is, all the people that did get infected and hacked did not recognise those scams. Obviously.

I don't blame them. Itch is a legit site. One would not expect malware here.

I do not know what can be done about it. On the cheap, that is. But I would start with better account protection, like detecting the hijack.

On client side, people can be more careful and mistrusting. But for that they have to be aware of certain facts. Really aware. Like people being too lazy to report scams and scammers being able to upload them, because developers are not verified and automated scans can only detect so much.

So my best advice is the title of this thread. Do not download things. If you are aware, you will be more sceptical about any gifted horses, there might be trojans hiding inside.

(1 edit)

I must agree. Anyways, I have something you might like.

(1 edit)

Another tactic I have seen is these hackers would message people on other social media websites (Discord being a common one which I have seen this on) saying that they have just made a game they would like you to play and give feedback on, sometimes these Discord accounts are hacked accounts, sometimes it will be a friend of someone they have hacked which will ask them to play their game which helps the fake game look more legitimate and more trustworthy to download.

I believe the malware with this tactic typically targets Discord accounts instead of Itch accounts, although it could indeed target a lot more, either way it is another tactic to watch out for.

The thread below actually gives a lot more detail on this scam:
https://itch.io/t/1659440/psa-beware-the-try-my-game-scam

I have no intent of giving someone malware. The game I sent is a legit game. And if you dont feel safe downloading it, its even in web browser. 

I actually made this thread to point out that the "classical" try-my-game-on-discord-scam is not the only method used and give some general tipps. It is not necessary for the scammers to socially target people and distribute password protected links on Itch. They can just spam their projects in the open. I saw several times the original and a fake shown up in a search side by side. It is just sick. Only last week I saw a fake game aimed at children.

And itch is indexed on regular search engines quite fast. So de-indexing does not even help much. People can find the scam site by accident by googling some indie games.

This might also be the reason why there are so many fake blog posts on Itch. The scammers not only post projects, they post devlogs with links to malware in the guise of some game announcement. I saw such a fake account with over 40 followers. How ... what ... I cannot understand this.