Do you think it’s easy for hackers to steal your passwords?
In the past, this may not have been the case, but like most things the technology has improved. Now malware developers are offering phishing as a service (PHaaS) that makes it a simple process to set up a fake login page and then ask people to sign into it.
No Technical Skills Required
It used to be that hacking required technical prowess to create malware. Now it’s becoming possible for non-technical people with criminal intent to create a malware attack, and these service providers are making it easy.
These types of attacks are being offered as malware as a service. It allows malware developers to sell their malicious software as a service online. One example is the new Russian website called Fake-Game. This website gives subscribers access to custom phishing links which they can then send to victims.
Does it work? So far the site claims that 60,000 active users have stolen almost 700,000 usernames and passwords.
With an easy-to-use interface and dashboard, subscribers can view the credentials they stole from victims. These credentials can then be sold from $.015 to $15.39 USD each.
Here’s What You Need To Do To Protect Yourself
When you go to a site to enter your credentials (Facebook, Instagram, etc.) get in the habit of looking at your address bar and verifying that the page is actually where you expect it to be before you try to login.
Use two-factor authentication if the site allows it. An article in TechTarget states that the “two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.”
Phishing scams like Fake-Game are an actual working business model that allows thieves to rent malware rather than having to make a one-time purchase. As a legitimate business, Fake-Game even offers customer service via web chat.
Fake-Game has a Gmail phishing page that looks just like the real page on the Google property. The malware creator even has a feature that will verify credentials once they are entered.
Now thieves can send a message that pretends it’s from a legitimate website and ask the user to login. After they login, the hacker then has access to their account.
Phishing Scams Made Easy
Once they arrive on the site, thieves are able to pick which social media or network they wish to use. Some options are Instagram, Facebook, Steam, and Gmail. Fake-Game then creates a URL that has a unique affiliate ID. It uses this ID to track which customers should get the stolen credentials once they are entered.