The Phishing attacks are still one of the most effective methods to grab users’ credentials on the web.
Experts from Fortinet have discovered a Russian-language site called ‘Fake-Game’ that offers Phishing-as-a-Service.
“During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:” reads a blog post published by Fortinet.
“You’ve come to the site to hijack accounts,” reads the translation of the message that the website displays.
The website is free to use, but it also offers a paid version for VIP accounts that includes additional features such as the possibility to browse all other phished accounts.
The Fake-game was used to hack into over 688,610 accounts, this is what the authors claim, it is easy to use and includes also video tutorials.
Users only have to choose which type of credential they wish to grab (i.e. Facebook, Instagram, Google, etc.)
The Fake-Game then generates a URL with a unique ID for each user.
“The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.” continues the Fortinet post.
“A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:”
The Fake-Game is a classic example of crime-as-a-service, similar services allow wannabe criminals to rent infrastructure and service to easily enter the cyber criminal arena.
Fake-Game users only need to trick victims into clicking on the Phishing URL.
Crime-as-a-service dramatically lowers the barrier for entry in the cyber criminal ecosystem.