One of the most effective ways of grabbing someone's email or social media password is to just ask for it. Phishing, where a hacker sends a message pretending to be from a legitimate website and pressures the target to login, is still responsible for plenty of data breaches today.
Well with one website, just about anyone can generate an authentic looking phishing page, send it to whoever they want, and potentially steal the victim's login details; all with little to no training or technical knowledge.
In a blog post published on Wednesday, researchers from cybersecurity company Fortinet provided details on the Russian-language site, called "Fake-Game, " which they say dates from at least July 2015. Fake-Game is basically Phishing-as-a-Service, or PHaaS, the researchers write.
“You've come to the site to hijack accounts, ” a Google translated version of the site reads, and claims that it has been used to take over 688, 610 accounts. The site is free to use, but offers paid “VIP accounts” which come with extra benefits, such as browsing all other phished accounts. Fake-Game even has its own customer support and tutorial videos too.
A Facebook phishing page generated by the site.
To start, users select which service they want to create a phishing page for. Those include social networks Facebook and Instagram, gaming platform Steam, and popular email services like Gmail and .
Fake-Game then generates a URL with a unique affiliate ID, which, according to Fortinet, allows the site to track which of its customers the stolen credentials should be sent to.
I used Fake-Game to make my own Facebook phishing page, which utilized the rather un-Facebooklike URL fauth.pesed.xyz. But the page itself looks similar to the company’s login screen, perhaps close enough to fool some people into entering their username and password.
Of course, although Fake-Game provides the phishing page and the infrastructure to run it, hackers will still need to persuade their victim to click on the URL. Which, at least in the case of Facebook, was not very convincing at all.
A list of the different sites that users can try to impersonate.
For the sake of demonstration, I played the part of both hacker and victim. Sure enough, once I entered my newly created Facebook details, a notification popped up on Fake-Game.
“In your base entered a new account!” it reads, followed by a conveniently clear table of the victim's email address or username, password, IP address, and language.
There are plenty of different things a hacker might want to do with their newly acquired login details. Maybe they could sell them on a criminal marketplace (Fake-Game provides a link to one), or trade them for others.
Regardless, this service dramatically lowers the barrier for entry for anyone hoping to phish some login credentials. Much in the same way that some variants of malware have followed a as-a-service model, phishing has done too.