Where do phishing sites get hosted?

Sometimes scammers create a special new website and register a name for it that resembles the original (for example, netflik.com instead of netflix.com). Our separate post on fake names is worth checking out. But such sites are expensive to make and easy to block, so many cybercriminals take a different route. They hack legitimate sites of any kind, then create their own subsections where they publish phishing pages. It’s very often SMBs that fall victim to such hacks because they lack the resources to constantly update and monitor their websites. Sometimes a site hack can go unnoticed for years, which is a godsend for cybercriminals.

One of the most popular web content management systems is WordPress, and the number of hacked sites on the platform runs into the tens of thousands. However, once you know what to look for, it’s not hard to detect such sites yourself.

First sign of fakery: mismatch between site name and address

When following a link in an email, a social media post, or an ad, it pays to take a look at the URL of the site you land on. If it’s a hacked site, the discrepancy will be staring you in the face. The name of the service the fake site pretends to be might crop up somewhere in the directory path, but the domain name will be completely different; for example: www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php. You know perfectly well that Netflix lives at netflix.com, so what’s it doing on medical-helpers24?

It looks like Netflix, but the URL screams phishing

Checking the URL requires a little more effort on mobile devices because many apps open links in such a way that the site address isn’t visible or is only partially visible. In this case, click on the address bar in your browser to see the site’s full address.

Second sign of fakery: directory path elements

When looking at the full address of a web page, pay attention to the tail of the URL after the domain name. It might be rather long, but just focus on the first parts. Hacked subsections of a site are usually hidden deep within WordPress service directories, so the address will most likely contain elements like /wp-content/, /wp-admin/ or /wp-includes/.

In our example, www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php, one such element comes right after the domain name, confirming our suspicions that the site has been compromised.

Chances are that the URL will end in .php. Pages with the .php extension are quite common, and this in itself is not a sign of hacking. But in combination with this directory path, the .php extension is compelling evidence of guilt.

Third sign of fakery: the site has a different subject

If the site name seems unfamiliar or suspicious, you can perform an additional check by going to the home page. To do that, delete the URL tail, leaving only the domain name. And this may open the page of the real owner of the site, which will be totally unlike the phishing page both in subject and design. It might even be in a different language, as in the example below:

French phishing on a Chinese site

Your personal data on a fake website

It might happen that some information fields (such as your email address or bank card number) are correctly pre-filled even on a phishing site. This means that the attackers have somehow gotten hold of a database of stolen personal data and are seeking to enrich it with additional information, such as passwords and CVV numbers. To this end, they post a table with known data on the victims, and this can often be freely downloaded from the site. So, if you see your real card number on a fake site, have the card reissued straight away, then think about additional security measures for other personal data. For example, if your email has been leaked, protect your email login with a stronger password and be sure to enable two-factor authentication.

How to guard against phishing

• Be vigilant. For the above tips to work, remember to check every link you click on.
• Check links before you click on them — some attacks don’t require the victim to do anything but land on an infected site. On your computer, you can hover over a link to show the URL it will take you to. On your phone, tap and hold the link with your finger to see the URL in the pop-up menu.
• Important addresses (your bank, email server, etc.) are best accessed through bookmarks or typing them manually, not through links in emails.
• Install security solutions on all computers, tablets, and phones. Phishing can get you on any device, so use Kaspersky Premium to keep all your digital companions secure.

Many scams in one

Who wouldn’t want to earn money for doing regular online stuff: taking surveys, watching videos, playing games and other simple tasks? That’s how scammers lure victims to one of the sites.

Home page of a scam website offering part-time work doing regular online activities

The home page of the “platform” is overflowing with offers of easy-earning jobs. Scammers promise new recruits a whopping US$200 a day. Plus a US$25 signing-up bonus!

Of course, there are numerous reviews from grateful “users” who have already become rich. But if you bother to read them, you’ll spot a lot of grammatical mistakes.

Reviews from “users” who supposedly struck gold

To earn money on the “platform”, you are asked to complete various tasks, such as testing apps, playing games, sharing a link to the site with friends, and the like.

Tasks you get paid for

In fact, all these “tasks” are just links to other scam resources. By visiting them, users create traffic to cybercriminals’ sites. This improves their position in search results. And also, cybercriminals may have their own footfall KPIs (key performance indicators).

When the victim tries to get their “money” (the home page promises that this can be done through popular services like Cash App, Venmo, PayPal and others), they discover that they must first earn at least US$200.

Message saying you need to earn US$200 to withdraw funds

Sure, you won’t see any payout even if you do “earn” 200 bucks.

Nor can it be ruled out that the scammers’ domain won’t simply be blocked before user even try — such sites have very short lifespan. After getting blocked, the scammers will get another domain and launch the whole scheme again with new victims.

The scam itself is quite international. Besides English, the cybercriminals’ website is available in nine other languages. Although these versions look less professional.

Share it with the whole world

Now let’s talk about a similar site with a more primitive design, but with a different mechanism for making money from naive users.

The victims are offered two ways to earn. The first is to share the link and invite “referrals” to the website: you get US$1 for every 100 people. What’s more, the site supposedly lets you withdraw funds after accumulating just US$20. To earn this amount through inviting referrals, you need to attract 1500 users to the site (you get US$5 for signing-up).

Home page of a site that pays you to share its link

Sounds hard, but things aren’t all that bad, you have a chance to earn US$50 right away. But for this you’ll have to play the scammers’ game — by endlessly refreshing the page so that the two images match. They won’t of course.

Scammers’ game

When the victim goes to the site, they are immediately asked for permission to display browser notifications. Through these, the cybercriminals distribute ads for various other scams or relatively legit adult sites. That’s the main objective: to lure as many victims as possible who will give this permission.

And the image-matching game helps the scammers boost traffic to their own site and improve its search visibility.

How to avoid falling victim?

To avoid falling for online job scams:

• Don’t believe promises of easy money.
• Don’t enter payment information on dubious websites.
• Read our post on how to spot scammers.
• Use a robust security solution that will warn you before visiting suspicious sites and keep your money and data out of cybercriminals’ hands.

While you were gone, your account got mined

It all starts with an e-mail with an attached PDF informing the recipient that nearly a year has passed since they last logged in to their “Bitcoin Cloud Mining” account, which they supposedly created once upon a time. In the interim, the scammers write, 0.7495 BTC (worth around US$15,000) has accumulated in the account. But here’s the rub: since the account has been dormant for almost a year, it will be blocked very soon — after which the mined cryptocurrency will be distributed among other platform users. Time is of the essence, though it’s not clear precisely how much of it the user actually has: the e-mail states “2 days 23:58:38” in a large font, while the small print reads “within 24 hours”. Either way, not everything is lost: the user still has time to log in and withdraw the funds.

In the attached PDF, scammers promise a large payout if the victim logs in right away; otherwise the account will be blocked

After clicking the button in the file, the user is taken to the mentioned “Bitcoin Mining” website (the word “Cloud” has been dropped out of the name by this point). There, two pieces of good news await. First, it turns out that the platform remembers the user by their IP address, so there’s no need to recall the username and password. Second, the payout has now gone up to 1.3426 BTC – a little more than US$30,000 at the time of posting.

Fake Bitcoin mining platform claims to remember the user’s IP address

Now for the bad news: even less time now remains than was specified in the e-mail. The account will be blocked in precisely 18 hours, 39 minutes, 54 seconds — so get those skates on!

Scammers rush the victim: no time to lose!

The username and password are already auto-filled in the form; all that remains is to click the login button.

There’s no need to remember the username and password, they are auto-filled

The fake site is surprisingly detailed, with lots of different sections to explore. For example, there’s a monthly history of accruals, a history of rewards for individual mining operations, a colorful page showing the current balance, and even a news section. Besides, occasional notifications pop up in a corner of the window stating that some other user just got a large payout.

There’s a “settings section” for changing the password, subscribing to various services, enabling auto-withdrawal of funds (not specified where to), and even allowing other users of the platform to send you money (on the notification settings tab, for some reason).

The focal point for the victim, of course, is the “Get payout” button. Clicking this button initiates what seems to be a chat between the user and a certain Sophia, who appears to be the Head of Payout Operations. Another form has to be filled out, this time with personal data, including card number (presumably the site creators collect this information to sell on).

Of course, the scammers’ goal is to squeeze real money out of the victim. So pretty soon they get down to brass tacks. The victim is offered to convert the cryptocurrency into dollars by paying a small commission of 0.25%. In monetary terms, the fee turns out to be even less than that — just $64.03.

A small commission is charged to convert bitcoin into regular money

The “fee” must be paid in cryptocurrency, so the user is transferred to a page explaining how to purchase it.

Customer care: the scam site kindly explains how to buy bitcoin

After clicking the “Pay” button, a page appears with the wallet address for sending the “fee”.

Send the payment here

Sure, after paying the “fee”, the victim receives not a penny of the promised payout, but has handed their payment and personal information to the attackers, who can then use it in other schemes or sell it on the dark web.

How to stay safe

Now for a few tips on how to protect yourself from this and other scams:

• Don’t be fooled by sudden generous gifts: large no-strings-attached payouts. If someone dangles large winnings in front of your nose, it will probably end in tears.
• Learn to recognize online scams. There are several telltale signs, which we covered earlier.
• Never enter card details on suspicious sites.
• Don’t send cryptocurrency to strangers — you won’t be able to appeal the transaction and get your money back.
• Install a reliable security solution with built-in protection against phishing and online fraud. This will warn you in advance if you’re about to land on a dangerous site.

Although children spend less time playing online games than adults, they remain one of the most sought-after targets for cybercriminals: after all, a kid can often easily lead you to their parent’s bank card.

Free cheese still smells nice

One of the most common scams targeting young gamers takes the form of an offer to generate in-game currency for free. That’s because kids today would rather get in-game currency from their parents than pocket money. To be the coolest-of-the-cool in pretty much any online game, you need virtual coins, and lots of them — such as V-bucks in Fortnite or Robux in Roblox. To avoid having to ask their parents to fork out, children are always on the lookout for free coins, which makes them vulnerable to cybercriminals.

Relying on most children’s rudimentary knowledge of cybersecurity, scammers don’t even bother with clever schemes: they literally spell out what data they want from their victims. For instance, on one phishing site that pretends to generate gems — the currency of the popular children’s game Brawl Stars — users are asked to answer just four questions to get as many gems as they please. As well as the desired number of gems and their in-game name, the user also has to hand over the e-mail address linked to the Supercell online game store and, guess what, the password for it! Why the young gamer needs to share this data, the creators of the site never explain.

Now in possession of the victim’s e-mail, the attackers can get a security code to log in to the Supercell account and hijack it by changing the password. So, instead of picking up lots of free gems, the unfortunate player may lose both their mail account and all their accumulated experience and currency in Brawl Stars.

Free cheeeeeese!

Other scams are even more primitive. One site we found invited users to download Valorant cheats that give an advantage over other players, together with a detailed installation guide.

One of the instructions was to disable all antivirus software before installing the file — otherwise the cheat would be flagged as a false positive and not be installed. The executable file is packed in a password-protected Winrar archive, the contents of which cannot be checked by the antivirus before unpacking, and it must be “Run as administrator” so that the virus gains full access to the victim’s computer. The longer the victim’s antivirus is disabled, the more data the scammers can potentially pump out. It helps if the child has their own computer, but what if it’s a shared home computer full of parental data, including passwords and bank card details?

The winner takes it all. From your PC.

Almost any adult would smell the cheese in the mousetrap, but to kids who know little about cybercriminal tricks, nothing feels off. Statistics show that malware disguised as Minecraft or Roblox was downloaded 3–4 times more often than games for mature audience. For more examples of child-targeting scams, see our threat report for young gamers.

The more experienced the player, the trickier the scam

To fool hardcore gamers, scammers have to be far more sophisticated. Targeting an adult audience, they create phishing sites that mimic 18+ games, such as GTA Online. But the result is the same: the victim is either scammed out of their data and game account, or asked to take an online “I’m not a robot” test, with the offer of a prize — for example, the latest iPhone or a PlayStation 5. Only, to receive it, a small commission needs to be paid. And as you may have guessed, after paying this the gamer gets no prize and may compromise their bank card instead.

Haven’t you seen the “Grand Theft” inscription? You were warned…

Also this year, cybercriminals have learned how to mimic the in-game stores of such popular games as CS:GO, PUBG, and Warface. To get a good skin at a low price, victims had to enter their credentials for Steam, or even for social networks like Twitter or Facebook. As soon as they entered this data, their account fell straight into the hands of the cybercriminals, and all the skins and artifacts there were sold to other gamers.

A farewell to arms

Another common trick is to offer bundles (tens or even hundreds) of licensed games for peanuts. But this meager sum must be paid from your bank card. Or you can get a “Battle pass” for free, but to confirm, say, your age, you need to give the numbers on both the front and back of your credit card. No prizes for guessing that this data will most likely be stolen and then sold on the dark web.

It won’t ever be as cheap as this! Oh, wait…

How to protect yourself against such threats?

Whether you’re a rookie or hardcore gamer, the threats you face are the same, and it’s worth knowing how to guard against them:

• Use strong passwords — a unique one for each account. Then, even if one of your accounts is hijacked, the others will still be yours. Don’t trust your memory? A password manager can help.
• Protect your accounts further with two-factor authentication.
• Use virtual bank cards and refill their balance exactly for the purchase amount. By entering the numbers from your bank card, you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary.
• Install a reliable antivirus solution on your computer — one that works seamlessly with Steam and other gaming platforms.

Kaspersky's antivirus products have a special game mode that automatically activates when you start games. Antivirus database updates, scheduled drive scans, and notifications are suspended in this mode, but protection continues to run in the background. Which means:

• your system is securely protected from any malware;
• your personal data is monitored for leaks;
• your passwords are stored in a secure, encrypted vault;
• all links you follow are checked for scams and phishing;
• your IP address is hidden by a VPN, which encrypts transmitted data and, by choosing the right server, improves ping/latency;
• finally, the operating system settings are optimized so you don’t lose a single millisecond of gaming.

How the hijackers do it

Of course, there are no contests, no petitions, and no gifts. And the message was not written by a contact, but by an attacker who’s already hijacked that contact’s account (perhaps in the same way).

The links sent by the cybercriminals are usually created using a URL shortener service. Such tools are often used when the sender doesn’t want the real address of a site to be seen. What’s more, anti-phishing tools find it harder to spot such links.

More often than not, the site looks pretty modest. The first page displays a message like “Sign in and vote” or “Free access to the trial version of Telegram Premium” — depending on the scheme in question. Next comes the messenger login screen. There are two variants here: those who opened the site on a desktop are prompted to log in using a QR code, while those on a mobile device are asked for their country and phone number. Sometimes (as shown in the screenshots) the attackers let the victim choose the more convenient option.

A cybercriminal site asking how you’d like to lose your account: by QR code or by entering a phone number.

If you provide your phone number, the attacker’s scripts log in to your Telegram account from a new device. The messenger’s security mechanism requires user confirmation and sends a verification code to your phone or computer where Telegram is already authorized. With Telegram’s two-factor authentication (2FA) turned off, this code and the phone number are all that the attackers need to log into your account. If you enter this code on the fraudsters’ site, they’ll have full control over your account, including the ability to link it to another device.

With a QR code, it’s even more straightforward — a verification code isn’t even needed. The thing is, it’s not a QR code for logging in from your phone. What it is, in fact, is a code to connect an additional device or web session to your account. If you scan this code as per the instructions, the attackers will automatically log in to your account and take control of it.

If you’re curious about other common phishing tricks, check out our report on spam and phishing in 2022.

Why cybercriminals want your account

Your stolen account can be used in various ways. The most obvious is to send out more fraudulent links to your contacts, but there are other uses too.

For starters, your account is full of data that could be used in other criminal schemes. Via the desktop version of Telegram, the bad guys can export your contact list, personal data, chat history, or files you’ve uploaded and received — which can contain confidential information. For example, some people store document scans in Favorites for quick access.

After a little while, the hijackers might also call you and offer to return your account for a fee.

How to stay safe

To begin with, take care not to follow any suspicious links. And under no circumstances should you enter a Telegram verification code anywhere except in the Telegram app itself.

To make it a bit trickier to take over your account, we recommend enabling 2FA in the messenger. This will not interfere with day-to-day communication but will guard against login attempts from other devices by asking for an extra password, adding another layer of protection.

To enable 2FA in Telegram on your phone, go to Settings → Privacy and Security and tap Two-Step Verification. After that, it remains only to set a password, create an optional hint in case you forget it, set up a recovery e-mail, and enter a confirmation code that you’ll receive in your mailbox.

What to do if you took the bait

If you’ve already fallen for a scam and entered a code on a fake site, there’s still hope. By acting quickly, you can regain control of your account. Go to Settings → Devices and tap Terminate all other sessions.

A German tragedy in two parts

The first scam targets German residents. It starts with an e-mail in which an organization calling itself Finanzmarktaufsicht (the name suggests it has something to do with with financial regulation) states that Osnabrück police has supposedly arrested some criminals and confiscated their hard drives, which were found to contain citizens’ decrypted personal data — including the recipient’s.

E-mail seemingly from “German financial regulator” Finanzmarktaufsicht

The e-mail goes on to state that, given the large number of victims, “Finanzmarktaufsicht” suspects organized crime to be at work. Hinting that the recipient of the e-mail could be one of the victims, the scammers ask them to assist in the investigation. Nothing complicated is required for this: simply follow the link to fill out a special online form, or call the number given in the e-mail.

The message itself resembles an official e-mail: it contains the the logo of the “sender” government agency, the actual address of a Berlin business center (home to several financial organizations, but none bearing the name Finanzmarktaufsicht), and contact details. At the end, the scammers have gone to the trouble of adding a perfectly genuine link to an article about a real investigation published on the website of one of Germany’s most popular TV news shows.

One of the links in the e-mail points to a real article about a financial fraud investigation on the genuine website of a popular German TV news show

Although at first glance the e-mail comes across very well, upon closer inspection certain tell-tale signs can be found showing it’s bogus. First of all, the sender’s address is suspicious. It has nothing to do with the government agency that allegedly sent it. And the agency itself looks dubious: A quick search online reveals that Finanzmarktaufsicht is in fact an Austrian, not German, agency. The German equivalent goes by an even more officious-sounding name: Bundesanstalt für Finanzdienstleistungsaufsicht.

A user who fails to spot the deception and clicks the link is taken to an online form on the website of the bogus Finanzmarktaufsicht. And to receive “expert assistance”, they need to enter the following details:

• Surname
• First name
• E-mail address
• Contact phone number
• Name of the organization they recently invested in
• Deposit date, amount and purpose of the investment

Form for entering personal data on the fake Finanzmarktaufsicht site

Further down the page the cybercriminals promise to help return the funds stolen by the scammers, for which reason they allegedly need information to prepare documents, including past correspondence, details of bank transactions, etc. It’s most likely that later the victim will be asked for their bank card number (supposedly to reimburse the damage), be required to pay a bogus fee, or part with their money in some other way.

The bogus Finanzmarktaufsicht site itself looks as though it belongs to a bona fide government agency. The user sees several menu sections, plus detailed information about the agency including its activities, history, opening hours, contact details, and a lot more besides. Even the logo of the Austrian government agency is there on display. However the e-mail address given there is wholly unlike the one from which the message came; it looks more like the real deal, and at least contains the abbreviated name of the agency. But it’s fake too, of course. As already mentioned, there’s no organization with that name in Germany, so anyone could register such a .de domain name. Which is precisely what the scammers did.

Information about the organization on the fake Finanzmarktaufsicht website

Swiss letter

The second scam focuses on Switzerland. This time, the e-mail “reminds” the recipient that back in 2015–2017 they supposedly invested in a company called SolidCFD. Too bad, since now it’s been closed down due to some illegal activity. And the “recovery and resolution manager” of the independent financial regulator wants to help return the investment. The pseudo-employee, alas, could not reach the recipient by phone, so the latter is asked to reply by e-mail to discuss the fate of their investment.

In this instance, the cybercriminals have chosen a financial regulator that does exist in the target country. The e-mail makes reference to FINMA, an independent financial regulator operating in Switzerland. The company mentioned in the e-mail — SolidCFD — was also real, and did have a dubious reputation (but more in the UK than in Switzerland).

As for a website, the attackers in this second scam don’t even bother with one. Most likely they’re hoping they’ll just get lucky and the user will agree to discuss their investments first by e-mail, then possibly by phone or messenger app. At that stage, employing various social engineering techniques, they’ll be able to squeeze personal information, and likely money, out of the victim.

How to protect yourself

To avoid unpleasantness and the loss of personal data and/or money, we recommend as follows:

• Paying attention to the e-mail address of the sender. If it has nothing to do with the company it purportedly comes from, or consists of random letters and numbers, you can be sure it’s a scam.
• If the e-mail mentions a law, regulation, or high-profile case, do an online search for information about it. Can’t find anything, or what you found doesn’t match the content of the e-mail? Again, it’s no doubt fraudsters at work.
• To learn how to spot scams, read our post on ways to detect online scam.
• Even if you’re confident in your abilities to unmask scammers, it’s better to play it safe just in case. With that in mind, use a reliable security solution that automatically recognizes danger and warns you when visiting a suspicious website.

Unheard-of generosity

The fraudsters created a fake website supposedly dedicated to Nvidia’s 30th anniversary, and announced a large bitcoin giveaway there. On the splash screen of the fake website visitors see the company logo (albeit purple, not the usual green) and the name of its CEO, Jensen Huang. Visitors are asked here to “select a category” to take part in the “event”. In fact, there’s nothing to choose from: under the invitation there’s only a single big button with the words “Bitcoin giveaway”.

Splash screen of the fake Nvidia website

After clicking the button, the user is taken to a page with detailed information about the mythical giveaway. At first glance the page looks convincing: there’s a photo of the CEO and additional menu sections, all nicely designed. But instead of the Nvidia logo there’s a Bitcoin icon, plus numerous grammatical errors in the text — something a serious company wouldn’t permit.

Here, purportedly on behalf of Mr. Huang and Nvidia, the cybercriminals announce a giveaway of 50,000 BTC (worth more than a billion US dollars at the time of writing). One of the main conditions for taking part is that users themselves must first make a contribution, like buying a lottery ticket. The scammers promise that the participant will immediately get double their money back, not to mention the prospect of winning the 50,000 BTC.

The address of the cryptowallet to which they should make a transfer is given in the instructions for participants. And at the very bottom of the page is an online broadcast of the “winnings” paid out by the organizers.

Fake website page with information about the “giveaway”

Fake support chat on the website

Curiously, if you enter the address of the scammers’ cryptowallet on blockchain.com, it turns out that some money has actually been transferred thereto — a total of 0.42 BTC (worth more than $8000 at the time of writing). It’s unknown who sent the funds: it could be victims or the scammers themselves, for example, to check if the wallet is working or to pretend to be “lottery” participants. In any case, there’s no trace of the reported 50,000 BTC, and no hint of double-your-money paybacks.

The scammers’ cryptowallet

If it’s good enough for Elon!…

Cryptocurrency scams in which fraudsters use the names of celebrities or well-known brands are quite common and embody varying degrees of sophistication. For example, scammers have tried to lure Twitter users to fake cryptocurrency handouts masquerading as Elon Musk, Bill Gates or Pavel Durov.

More complex schemes involve fake-news websites with stories of famous people who supposedly got even richer than they already are by investing in cryptocurrency in a certain way. Those wishing to emulate their success followed links to fake websites about cryptocurrency investments. There, victims were persuaded to deposit a certain amount of money into the cybercriminals’ account, and when they did they had their personal data stolen.

How to protect yourself?

It can be really hard to resist a tempting offer. To avoid unpleasant situations, we recommend you keep some simple safety rules in mind:

• Do not blindly trust information just because it appears to come from a celebrity or well-known brand. Double-check all information from secondary sources on official websites.
• Do not click on links of unknown origin, such as in e-mails. It’s better to look for important information yourself using a search engine.
• Keep your cool at the sight of contests, giveaways or lotteries offering a fortune; also be very wary when urged to act urgently or you’ll lose money — this is another common cybercriminal trick.
• Learn to spot online scammers; this post will help you recognize the most common signs of fraud.
• Use a reliable security solution that warns you about suspicious websites.