Phishing: not just for banks

  • Article

From the Microsoft Malware Protection Center blog:

When people think of phishing (a deception to trick a user into sharing their credentials with a third party), they might usually think of banking. But with the popularity of online games, they can still be a target even if they protect their banking information. A typical reason for phishing in games is to steal in-game money and items.

A phish might promise something free; since the phisher doesn't have to deliver, they could promise anything. In this example, the phisher promises two free Steam games:

The phishing email is detected as PWS:HTML/Phish.BF.

A phish might tell the user that their account has been suspended, or threatened with suspension, and that they can save it by verifying their information. In these examples, a phishing website tells the user that they have done something against the terms of service of Zynga Poker:

(Detected as PWS:HTML/Phish.BC.)

(Detected as PWS:HTML/Phish.BE.)

A phish may also try to plausibly look like the actual login page, and hope that users treat it like it is authentic and enter their information. In this example, a phishing website tries to look just like the login for RuneScape:

(Detected as PWS:HTML/Phish.BB or .BD.)

In fact, RuneScape phishing is so popular that sites have sprung up to offer ready-made phishing sites. Here is a landing page for such a site:

And the main forum:

The phisher enters some information to set up an account, and then can start spreading the URL to his phishing page. After victims have entered their information, the stolen credentials are stored, and the phisher can log into his phishing account to view the credentials they have collected.

Protecting yourself
The phisher typically uses in-game messaging to target their audience and spread the link to the phishing site. Typically this will bypass content-filtering mechanisms like antispam. Users should only log into their game accounts through their game program, or navigating to the game's website themselves.

PS: Here's one more example, an instant message that I received in recent days. It was sent by someone I already had in my contact list, so likely he fell for the bait and now the phishers are sending out more phishing messages from his account. This is a screenshot of Trillian, which connects to the Yahoo Instant Messenger Network:

If the link is clicked, it leads to the following website, which is detected as PWS:HTML/Phish.BA:

This resembles the actual Yahoo! login page however, closer inspection reveals that the webpage is not in yahoo.com but rather in config-verify.info.

-- MMPC