Independent IT research experts at the Irish mobile development company AdaptiveMobile have indicated a large number of phishing spam campaigns aimed at the users of the popular mobile game Pokemon Go.
Spammers send SMS-messages containing a short hyperlink to the phishing website Pokemonpromo.xxx that imitates official website of Pokémon GO application. This phishing site promises to provide some additional bonus opportunities to players if they will recommend it to ten other users. Currently, the website is down.
Another Pokemon GO phishing scam attack uses emails pretending to be from the game developer Niantic, Inc. and demands players pay $12.99 per month to get a full version of the Pokémon GO game. If the players don’t agree to make this payment, the email claims that their account will be suspended within next 24 hours. Players who do fall for this phishing scam are redirected to a website which is designed to steal their credentials and credit card payment information.
Players who do fall for phishing scam are redirected to a website which is designed to steal their credentials and credit card information.
In their phishing SMS-campaigns spammers offer 14,500 Pokecoins (virtual currency in the Pokémon GO game) to the players who was able to earn 100 points. Malicious SMS-messages typically contain a short link to various phishing websites, including Pokemon Generator. These websites request users to provide their login/password information in order to transfer Pokecoins into their accounts. According to the experts, phishing hyperlinks were massively sent not only via SMS-messages, but also using different social networks and gaming forums.
With the growing popularity of Pokémon GO, this games began to attract malware creators too. For example, many PC users suffered from a fake Pokémon GO application for the Windows OS. This app hides a ransomware threat that encrypts system files and installs a backdoor on the target host.
How to Protect Yourself from Phishing Attacks:
1. Be wary of any unexpected SMS messages you receive mentioning the Pokémon GO application – especially if the SMS contains a clickable URL.
2. Download the game from official app stores only and never third-party websites.
3. Do NOT put your credit card information on unfamiliar third-party websites. Scammers can fake any details, including a company official website design, logo, contacts and the “Sent” email address.
4. Be wary of any unexpected emails that contain URLs or attached files. Do NOT download any attachments to your PC and click on links!