Before I end the post, the usual disclaimer/disclosure:
I work at Trend Micro. The information contained in this post is taken from Trend Micro website and TrendLabs Security Intelligence Blog. To know more on what I do full-time kindly visit my blog’s about page or visit my linkedin page. To read my blog’s disclosure policy, kindly visit my disclosure page.
For infosec, malware and tech (and not so techie) stuff, please follow me in Twitter🙂
It’s been a long time since I featured a game here at menardconnect.com. And since this Flappy Bird game is such a hit let me do some Flappy Bird Cheats post.
Flappy Bird is really an addicting game for most people. I am not really sure why. Maybe because its so simple and yet so difficult. The game was released last year (around May 2013) and was removed from both Apple AppStore and Google Play last week.
The first Flappy Bird Cheat I found out was this: there were lots of Flappy Bird cheaters out there. By cheaters I mean really nasty people creating and releasing fake and malicious apps and games. They are taking advantage that the author have removed it from the App Store and Google Play. Quoting my colleagues report at Trendlabs Security Intel Blog
The interesting turn of events surrounding the game Flappy Bird has had the Internet buzzing: after becoming massively popular (downloaded more than 50 million times), the developer suddenly announced that he will take down the game from app stores, and then actually did it. The decision brought the interest around the game to an even greater scale, with similar apps seen emerging in app stores, and even auctions for devices with the app installed.
The next development we saw, however, is a less desirable one: we found a bunch of fake Android Flappy Bird apps spreading online”
Its really sad to see that bad guys (read: cybercriminals) are always up-to-date on the latest buzz and trends. And they will take each opportunity to constantly make money/quick bucks on popular games (like Flappy Bird and Temple Run 2). I guess because that’s where the money is.
While sharing and tweeting that gaming/security blog post last week:
I’m always excited when I encounter some #security meets #gaming issue. So I’m eagerly re-posting my blog article published in the TrendLabs Malware Blog entitled World of Warcraft Scams: Mist of Pandaria, Free Mounts and Phishing Galore.
World of Warcraft: Mists of Pandaria is the fourth expansion for the massively multiplayer online role-playing game (MMORPG) World of Warcraft. It was first unveiled to the public last October 2011 during the BlizzCon 2011 conference in Anaheim, California.
TrendLabs researchers started seeing increased phishing activity inside World of Warcraft after Blizzard started the closed beta testing for Mists of Pandaria last March 2012.
In these new rounds of phishing attempts, scammers are trying to abuse the WoW’s in-game mail system. In this phishing attempt, the malicious URLs are sent via in-game mail and are received by players in their in-game mailboxes.
In this phishing try, the scammer entices would-be victims to join the Mist of Pandaria beta testing and win an exclusive in-game item, the Dragon Turtle Mount, by visiting and registering in their website. The Dragon Turtle Mount was previously announced by Blizzard as the racial mount for the Pandarens, the new additional playable character race available in the Mist of Pandaria expansion.
The phishing URL in the in-game email goes to a phishing website that closely resembles the actual Battle.net website. The phishing URL tried to add some credibility by adding the string Mist of Pandaria abbreviation (MOP) to the domain name.
If unsuspecting users input their Battle.net credentials it will definitely result to Battle.net account theft. Battle.net is the central account management for all Blizzard games like World of Warcraft, Starcraft 2, and Diablo III.
In contrast to what we discussed in our previous World of Warcraft post, we observed that recent scamming attempts seem to be targeted at low level characters and not high level or level-capped (Level 85) ones. This may be part of the scam detection avoidance strategy of the bad guys, as high level characters may have more awareness to this security issue as they have spent more time in the game.
We analyzed the malicious domain further and found some great discovery: The same server also hosts other phishing sites targeting World of Warcraft players:
The newly discovered malicious websites are using Mist of Pandaria, World of Warcraft, and their corresponding abbreviations in their URLs.
Trend Micro users need not worry about these threats, as they are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.
It is interesting to note that some of the phishing websites were registered just days after Blizzard announced that Mist of Pandaria will be the next World of Warcraft expansion. This clearly shows that the bad guys are up to date and are always in the lookout for events and opportunities to expand their nefarious schemes.
Blizzard on their part have stepped up their security measures. They have published a dedicated security page to help users understand their security commitment; raise awareness on different types of account thefts, highlight a gamer’s security checklist, and a step by step guide on what to do when users suspect that their account is being compromised.
Blizzard also promoted their authenticator (available as an app for iOS and Android devices, and as a keychain fob) by giving away an exclusive World of Warcraft Corehound pet to users availing the authentication services.
We also advice our readers, casual and hardcore gamers alike to view our latest Security and Gaming e-Guide to get helpful tips to help secure their online game experience.
Thanks to Paul Pajares for additional technical details.
The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.
An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.
The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password.
However, we have seen a new approach recently—the use of WoW’s postal system, more commonly known as the in-game mail system. In this new trickery, the phishing URLs are sent via WoW in-game mail and is received by players in their in-game mailboxes.
The mail message is full of a mix of surprises. It combines several elements from other Blizzard games. Wings of Liberty refers to Starcraft 2, which was launched in July 2010. “Deathy” refers to “Black Dragon Aspect Deathwing,” the major antagonist in the upcoming WoW expansion game, Cataclysm.
To add to its credibility, the phishing URL contains the string worldofwarcraft and an abbreviation of Cataclysm. It is also interesting to mention that the website domain is registered and hosted in China.
We also noted that WoW online scammers have raised the bar by pretending to be figures of authority, something seen in spam attacks outside the online gaming industry.
The scam perpetrator poses as a Blizzard employee with a name that contains a string similar to Blizzard. The attacker threatens to suspend the player’s account if he/she does not register at the website included in the chat message.
As in the attack mentioned earlier, the link goes to a phishing site that tries to steal the user’s Battle.net credentials. The phishing site very closely resembles the actual site in terms of layout. At first glance, the user may be led to believe that the URL is related to the WoW Armory, an official site containing information on in-game characters, guilds, and items.
To protect its customers, Blizzard has intensified its information campaign on Battle.net’s security page. It also provided very accessible means within the game to report users who are abusing its chat and mail systems.