Stealing passwords isn’t hard. All you need to do is just set up a fake login page and ask people to sign in.
Such practice is called phishing, and it’s a big business in the cybercrime world. Big enough that some “entrepreneurs” in Russia are offering phishing as a freemium service.
The service is called “Fake-Game,” and it’s been online for over a year. Over 60,000 active users have stolen nearly 700,000 passwords using the “service,” which makes stealing passwords as simple as sharing a link.
Instead of creating and hosting a fake login page themselves, users can simply select a service they’d like to compromise and copy a URL. Share that URL with would-be victims and the cloud-based service will serve up convincing login pages. Users will be notified when someone takes the bait:
Here is the phishing page, disguised as Google login page:
And there’s really big money in this. Links inside the service itself allow users to hock their ill-gotten passwords.
“The stolen credentials can be sold from $0.015 USD up to $15.39 USD at current exchange rates.”
Fake-Game offers a free service, though there are paid features. $3.50 a month, or $7.12 for three months, gives you access the accounts stolen by free users, and prevents paid users from seeing your stolen accounts.
On the surprising side, the company is seemingly committed to customer service, giving potential criminals a friendly customer service agent to chat with should they have any questions.
If this worries you, take some time to protect yourself. First, always verifying that login pages are what they seem by looking at your address bar before logging in. Second, enable two-factor verification on every site that offers it. Third, make sure you change your passwords regularly, so anything already stolen can’t be used against you. Stay safe out there!