If it’s free to play, consider the potential cost. Are cybercriminals the real winners?
Late this past summer, we began seeing a new web phishing scam targeting League of Legends gamers. It seems the attackers are predominantly targeting western Europe, with most of the attacks occurring in France, followed by Germany and Spain. And, with more than one hundred million gamers playing League of Legends every day, they are an attractive target for phishing scammers.
The game was released in 2009 by Riot games. Its relatively new free-to-play model at the time made it especially successful in Asia. It is estimated that up to 5% of the total population of Taiwan played the game during peak times. The infographic below shows the popularity of League of Legends, with its number of active users falling between XBox Live subscribers and World of Warcraft players.
You might be thinking that a hacker stealing credentials to a League of Legends account is not the same as stealing the login and password to your personal email, correct? Think again. People tend to use one identical password for many different accounts. As recently reported by Dark Reading, three out of five people use a singular password for various services. Thus, even if a game is free to play, the stolen credentials may be valuable if the cybercriminal can use them to gain access to your personal email or PayPal account. It is important to remember that reusing your password for different services is not wise. Instead you should always use strong passwords and make sure to generate unique passwords.
Let's take a closer look at the League of Legends phishing scam. At first sight, the login page looks compelling and real to an untrained eye. The image quality is not downgraded and the design impersonates the original website quite well. Links to reset your password or to retrieve your account point you to the real website of Riot Games.
However, after further evaluating the sign-in screen, a huge red flag is easily discovered: the website is being hosted by a free provider - 000webhost. You can see this in the lower right footer of the site. Renowned companies the size of Riot Games rarely use free hosting. And, certain UI elements on the site are not working. It is impossible to check the ‘Remember me’ box, or to select the desired region. This option is stuck on ‘EU west.’ Your suspicion should always be raised if you encounter UI elements that are not functioning properly.
Looking deeper into the HTML code, we can clearly see the link points you only to the top of the page - ‘href="#"’.
Upon clicking the "sign-in" button, the user’s credentials are submitted to the ‘done.php’ file and likely sent to the attacker’s email or stored elsewhere for later use.
Before we move on, let’s go through some URL essentials. It turns out that knowing the structure of a URL can help you tell potentially suspicious websites from trustworthy ones. In this case, we will focus on the basic parts of a URL: top level domain, domain name, and subdomain. The picture below shows a URL to Avast’s company website.
The top level domain (TLD) is the section that follows the last dot between the slashes. That would be ‘.com’ highlighted in blue above. You probably know many others like ‘.co.uk’, ‘.gov’, ‘.net’ and so on. The domain name is the segment located to the left of the TLD, which is again terminated by dot and highlighted in red above. In general, the domain name is the name of your website, and is typically a company’s name or an associated brand that is easy to remember, like ‘Avast.’ The crucial point here is that custom domain names always cost money. Finally, the subdomain name is highlighted in light orange. This is located to the left of the domain name, and it is terminated by the protocol name - ‘https://’ in the above example.
Subdomain creation is an inexpensive way to develop many independent websites within your domain. You can also achieve more sites by creating different folders. But, subdomains provide an easier way to allocate resources. That is why the subdomain is the only modifiable part of the URL when you use free website hosting. You may be wondering how to tell if a website is using free (instead of paid) hosting. This is never easy. But, here are some of the more common free hosting domain names: 'bravenet', 'weebly', '000webhost', 'x10hosting', 'awardspace', '5gbfree', 'freehostia', 'freewebhostingarea', 'godaddysites'.
The main reason many phishing scams use free hosting is money. Phishing scams do not take much disk space and they will not generate a lot of traffic. They don’t need any of the advanced features provided by the paid services. So, free hosting is the most sensible choice. According to the data we gathered from different phishing URLs of the same threat, the League scam is mostly hosted on 000webhost.