Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Japanese users are the latest target of a new phishing campaign. This attack was carried out via the PlayOnline gaming service instead of via more traditional means like email.

    PlayOnline is a service offered by Square Enix, which is used by several of the company’s games for their online features. However, it has been confirmed that this threat specifically targets users of the popular massively multiplayer online role-playing game (MMORPG) “Final Fantasy XI.”

    The said game gives users the ability to chat with other players using the in-game Tell command. A malicious user, posing as a game administrator, sends the following Japanese messages using this command to users:

    8周年お祝いかつどうはひらき、 www.ffxi{BLOCKED}.com で贈り物の包みを受け取ってください

    ご当選おめでとうございます。あなたはFFXI抽選イベントで当選されました www.ffxi{BLOCKED}.com にご登録し、商品を受け取ってください。

    It should be noted, however, that the above-mentioned messages are grammatically incorrect and thus would not be used by any native Japanese speaker. These messages translate to the following English sentences:

    What is the 8th anniversary celebration and Hiraki, www.ffxi (BLOCKED).com Please accept the gift wrap

    Congratulations on your win. FFXI was elected in the event you draw www.ffxi (BLOCKED).com and sign up, please receive it.

    Accessing the URL embedded in the said messages eventually takes users to a fake PlayOnline login page.

    The phishing page’s contents are written in English whereas those of the legitimate page are written in Japanese. However, the overall appearance of the fake phishing page is identical to the legitimate PlayOnline page as shown below.

    Click for larger view Click for larger view

    In addition, careful examination of the address bar lets users know that the page is fake. The PlayOnline login page uses an extended validation certificate, which some browsers (including Internet Explorer and Firefox) show by changing the color of the address bar to green. Users can also see the name of the organization that runs the said site. In contrast, the phishing page does not use any SSL certificate at all, which helps users determine whether a site is legitimate or not.

    The other contents, including a fake official site for “Final Fantasy XI,” is also present on the same server that hosts the phishing page.

    Click for larger view Click for larger view

    These phishing pages are hosted by an ISP in the United States and have since been shut down although similar attacks using the Tell command are still not out of the question and users should be careful moving forward.

    Trend Micro users are protected from this attack via the Trend Micro™ Smart Protection Network™, which blocks the malicious websites used in the attack.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice