Stealing passwords isn’t hard: just set up a fake login page and ask people to sign in. It’s called phishing, and its big business in the cybercrime world. Big enough that some “entrepreneurs” in Russia are offering phishing as a freemium service.
It’s called “Fake-Game,” and security researchers at Fortinet point out it’s been online for over a year. Over 60,000 active users have stolen nearly 700,000 passwords using the “service,” which makes stealing passwords as simple as sharing a link.
Instead of creating and hosting a fake login page themselves, users can simply select a service they’d like to compromise and copy a URL. Share that URL with would-be victims and the cloud-based service will serve up convincing login pages. Users will be notified when someone takes the bait.
And there’s money in this. Links inside the service itself allow users to hock their ill-gotten passwords.
“The stolen credentials can be sold from $0.015 USD up to $15.39 USD at current exchange rates,” says the Fortinet report.
All this in a free service, though there are paid features. $3.50 a month, or $7.12 for three months, gives you access the accounts stolen by free users, and prevents paid users from seeing your stolen accounts.
And the company is seemingly committed to customer service, giving potential criminals a friendly customer service agent to chat with should they have any questions.
If this scares the crap out of you, take some time to protect yourself. First, always verifying that login pages are what they seem by looking at your address bar before logging in. Second, enable two-factor verification on every site that offers it. Third, make sure you change your passwords regularly, so anything already stolen can’t be used against you. Stay safe out there!