Open season on PUBG Mobile accounts

Free cheese exists only in mousetraps, but businesses everywhere have been desensitizing people to the idea of freemium cheese for years.

The freemium approach is especially prevalent in the gaming industry. Game developers and publishers commonly offer users minor but genuinely free goodies — the expectation being that the gamers will get sucked in and end up spending on in-game purchases. The addictiveness of freemium cheese is what cybercriminals are exploiting when they offer giveaways of rare items for the hit title PUBG Mobile.

Giveaway for PUBG Mobile’s new season

The mobile multiplayer shooter recently launched a new season with items, monsters, and mechanics imported from another popular shooter, Metro: Exodus. No sooner had it gone live than numerous websites appeared offering the chance to win new items.

Phishing pages with a Lucky Spin giveaway for the new season of PUBG Mobile with Metro: Exodus

They all look pretty much the same: distinctly gamer-themed with PUBG Mobile and Metro: Exodus branding, plus an invitation to spin the wheel to win one of the items depicted on it. Those who know PUBG Mobile are probably familiar with this wheel; at the start of each new season, the developers of PlayerUnknown’s Battlegrounds offer the chance to get unique items by spinning such a wheel. It’s called the Lucky Spin, and it’s basically a win-win (or at least a no-loss) lottery because spinning the wheel doesn’t cost any points, but it could yield a spanking new gun.

Phishing pages with Twitter or Facebook login — a familiar option for PUBG Mobile players

Phishing pages with Twitter or Facebook login — a familiar option for PUBG Mobile players

To receive the item, all you need to do is log in to your account. This stage offers two options familiar to PUBG Mobile players: log in with Twitter or log in with Facebook. Either option, however, results in an error message.

If you try again, it’ll seem to work, but the page will then ask for additional account information including character name, phone number, and PUBG Mobile account level. Enter those and the system will return a positive message: Your winnings will arrive within 24 hours.

Form for entering additional data, supposedly to verify the user's PUBG Mobile account, and confirmation that the item will be available within 24 hours

Form for entering additional data, supposedly to verify the user’s PUBG Mobile account, and confirmation that the item will be available within 24 hours

How PUBG Mobile/Metro: Exodus phishing pages work

Unfortunately for the player, the item will never arrive. All of the pages — our researchers came across 260 of them in just a few days, and their number continues to grow — were created by scammers. They have nothing whatsoever to do with Tencent, the developer of PlayerUnknown’s Battlegrounds, or the creators of Metro: Exodus. The sites’ purpose is to steal gamers’ data.

First, they grab Facebook or Twitter login credentials. The calculation here is that between the user’s desperation to get hold of the new item, and the pervasiveness of using a social network login for another app, their suspicions won’t be aroused.

But the scammers go one step further,

Continue reading

This post was originally published on this site