Phonecord

A newly launched bot for the Discord online chat service is being abused by "attention seekers" for swat calls and for placing harassing calls, experts from Flashpoint have recently discovered.

The bot's name is Phonecord, a legitimate service in its own right, which allows the owners of Discord chat rooms to add a bot that gives chat participants the ability to place a call to a real-life phone number.

According to Flashpoint, groups of users are using these Phonecord bots to place abusive calls. The company says that none of these attacks are politically or financially motivated, and describes these users as "attention-seekers," and their attacks as "vicious."

These harassing calls are possible because Discord —a free online chat service — supports audio calls from the chat client, but also because Phonecord allows users to buy phone call minutes using Bitcoin.

All these calls are placed through generic phone numbers of various VoIP providers. This setup allows for Discord users to place semi-anonymous calls from their home, at will, and at dirt-cheap prices. For example, $2.5 worth of Bitcoin buys a user a whopping 125 phone call minutes.

Phonecord abused for swatting and harassing calls

Flashpoint reports that many of these prank calls have been typical swatting events, with attackers sending emergency services to a victim's house. Calls have been placed with the United Kingdom National Crime Agency (NCA) and Federal Bureau of Investigation (FBI).

This appears to have happened even if the Phonecord bot author bragged online about his service being able to ban calls to emergency services and government agencies.

Phonecord developer on Hack Forums

Prank calls are also popular. As expected, the classic pizza order prank is very popular, with Discord users calling several pizza restaurants in the victim's vicinity, and sending massive amounts of pizzas to the victim.

Placing fake reservations at hotels is also very popular, a tactic that causes financial losses to the affected businesses.

Data breach victims at risk

Flashpoint says that pranksters target individuals whose personally identifiable information (PII) has been exposed in public data breaches.

"While these types of schemes yield no financial reward for the threat actors involved, they do satisfy these actors’ cravings for attention and amusement at the cost of victims’ discomfort," said David Shear, Flashpoint analyst.

The cyber-security company says it observed these swatting and pranking campaigns start on Discord in late April, but they'll probably continue unhindered.

Earlier in the year, a developer created a phone bot called Jolly Roger, meant to annoy tech support scammers.

UPDATE [May 15, 2017, 20:00 ET]: The Phonecord bot author was not able to respond to our initial request for comment, but he provided an update following the article's publication, detailing some of the anti-abuse measures recently implemented.

We've disabled anonymous payments and customers may only deposit with PayPal. We've added real time phone number info checking which reliably detects calls to police departments and other law enforcement agencies. It occurs prior to each call and blocks the call if necessary. We believe it's now infeasible to swat with our service and no less anonymous than the phone in your pocket.