Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on September 6, 2016

    Freemium phishing service makes stealing passwords dead simple

    Freemium phishing service makes stealing passwords dead simple
    Justin Pot
    Story by

    Justin Pot

    Justin Pot is a freelance technology journalist based in Portland Oregon with a passion for tech, nature, and starting conversations. Join h Justin Pot is a freelance technology journalist based in Portland Oregon with a passion for tech, nature, and starting conversations. Join him on Twitter if you'd like to chat.

    Stealing passwords isn’t hard: just set up a fake login page and ask people to sign in. It’s called phishing, and its big business in the cybercrime world. Big enough that some “entrepreneurs” in Russia are offering phishing as a freemium service.

    It’s called “Fake-Game,” and security researchers at Fortinet point out it’s been online for over a year. Over 60,000 active users have stolen nearly 700,000 passwords using the “service,” which makes stealing passwords as simple as sharing a link.

    Instead of creating and hosting a fake login page themselves, users can simply select a service they’d like to compromise and copy a URL. Share that URL with would-be victims and the cloud-based service will serve up convincing login pages. Users will be notified when someone takes the bait.

    FakeG7
    Credit: Courtesy Fortinet

     

    And there’s money in this. Links inside the service itself allow users to hock their ill-gotten passwords.

    “The stolen credentials can be sold from $0.015 USD up to $15.39 USD at current exchange rates,” says the Fortinet report.

    All this in a free service, though there are paid features. $3.50 a month, or $7.12 for three months, gives you access the accounts stolen by free users, and prevents paid users from seeing your stolen accounts.

    And the company is seemingly committed to customer service, giving potential criminals a friendly customer service agent to chat with should they have any questions.

    If this scares the crap out of you, take some time to protect yourself. First, always verifying that login pages are what they seem by looking at your address bar before logging in. Second, enable two-factor verification on every site that offers it. Third, make sure you change your passwords regularly, so anything already stolen can’t be used against you. Stay safe out there!