by Joy Celine Faltado
From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021.
During this period, we detected a total of 47,076 URLs for an average of about 1,700 per day. The attacks disappeared just as fast as they appeared. Between August 17 and September 1, we detected 1,105 Square Enix phishing URLs for an average of 70 per day.
The URLs were hosted across 20,730 unique domains. Most of the phishing URLs led to fake Square Enix account login pages.
secure.square-enix.com.c.dq-jp.xxxxxxx.com.ar/account/app/svc/Login.htm secure.square-enix.com.jjp.cn.xxxxxxx.net/account/app/svc/Login.htm secure.square-enix.com.login.zkiki.xxxxxxx.com/account/app/svc/Login.htm secure.square-enix.com.login.q-xk.xxxxxxx.com.ar/account/app/svc/Login.htm secure.square-enix.com.login.iius.xxxxxxx.com.ar/account/app/svc/Login.htm secure.square-enix.com.zcls-cey.usa.xxxxxxx.com/account/app/svc/login.html secure.square-enix.com.qacc.cn.xxxxxxx.com/account/app/svc/Login.htm
Figure 1 – Square Enix phishing URLs
Figure 2 – Fake Square Enix login page
Figure 3 – Fake giveaway luring users to a phishing page
These threads on Reddit and a Square Enix forum suggest this phishing campaign was also spread using the in-game chat feature, whisper. Attackers frequently use communication channels other than email to avoid/delay detection.
Targeted phishing attacks often follow press releases and major events like Amazon Prime Day and national holidays. The best thing users can do is slow down and closely review emails and links before clicking calls to action, entering information, or opening attachments.