by RSS Roland Dela Paz and Rommel Joven  |  Aug 31, 2016  |  Filed in: Security Research

Malware-as-a-Service (MaaS) business models continue to thrive in the cyber underground. It has allowed cyber crooks to generate renewable income through renting malware rather than selling their tool for a one-time payment. As a result, the business model has been adopted in various underground commodities such as exploit kits and remote access trojans. Recently, we saw the emergence of Ransomware-as-a-Service (RaaS) platforms.

During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:

Once a user has logged in, a tutorial window pops-up (the rest of the images in this post have been translated from Russian to English to allow our general readers to understand them):

The site then asks the user to choose which type of credential it wishes to steal:

To see how it works, we tried to simulate the platform’s Gmail phishing tool. Upon choosing the Google option from the dropdown menu above, a link containing the subdomain “gmail” was generated:

The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.

A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:

In order to assist novice cyber criminals using the platform, the above prompt provides a hyperlink to another Russian site where subscribers can sell the credentials they have stolen. The stolen credentials can be sold from $0.015 USD up to $15.39 USD at current exchange rates.

A summary of stolen credentials appear on the subscriber’s profile:

 

How Does the Phishing Webpage Work?

The Gmail phishing page looks like the legitimate Gmail log in page:

The Fake-Game platform has a feature that verifies the validity of credentials. If an entered credential is valid, it replies with a compressed string that translates to “good” once decompressed:

The phishing page’s code then checks to see if Fake-Game responded with the required value. If not, it displays an error and re-loads the phishing page:

The Fake-Game Phishing-as-a-Service (PHaaS) Business Model

Fake-Game earns money by offering VIP subscriptions for relatively low prices. The VIP account also offers subscribers extra privileges (listed below) that are not available for normal one-time users. The prices for such an account are $3.50 USD for a month, $5.70 USD for two months and $7.12 USD for three months:

 

Like legitimate businesses, Fake-Game has a real-time chat support feature available on its website:

Users are also given the privilege to chat with each other after reaching a rating of over 50 on the website:

User ratings are achieved by purchasing VIP accounts. Higher VIP package purchases reward users with higher ratings.

In addition, referral programs are available in order to attract more users to use the PHaaS platform:

As of this writing, the Fake-Game website shows that there are currently 61,269 subscribers using the platform. Furthermore, a total of 679,511 credentials were stolen based on their current statistics:

Conclusion

With the thriving malware-as-a-service business model, it is unsurprising to see the emergence of a Phishing-as-a-Service platform such as Fake-Game. However, it is important to be aware of these services and understand their implications. In this case, an effective business model such as this has the capability to amplify phishing attacks in the wild by making malicious services available and convenient to just about anyone.

While Fake-Game caters specifically to Russian cyber criminals, we believe that similar services will be available to other regions soon, if they are not already happening.

We want to reemphasize that it is always a good idea to make sure that the website link on your browser address bar is legitimate before entering online credentials. If you are unsure, manually typing in the correct website URL can help prevent phishing attacks. Furthermore, remember that unsolicited requests for credentials arriving through email or social media are typically fraudulent, and are best avoided.

NOTE: FortiMail Customers

Enabling the new Content Sanitization capabilities in FortiMail release 5.3.4 will enable your organization to be more resistant to phishing attacks - like those described in this threat analysis - by removing the ability of users to click links in emails.

Fortinet will continue to monitor developments in the phishing landscape.

-= FortiGuard Lion Team =-

by RSS Roland Dela Paz and Rommel Joven  |  Aug 31, 2016  |  Filed in: Security Research