Select Page

Cyren Security Blog

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021.

During this period, we detected a total of 47,076 URLs for an average of about 1,700 per day. The attacks disappeared just as fast as they appeared. Between August 17 and September 1, we detected 1,105 Square Enix phishing URLs for an average of 70 per day.

The URLs were hosted across 20,730 unique domains. Most of the phishing URLs led to fake Square Enix account login pages.

secure.square-enix.com.c.dq-jp.xxxxxxx.com.ar/account/app/svc/Login.htm
secure.square-enix.com.jjp.cn.xxxxxxx.net/account/app/svc/Login.htm
secure.square-enix.com.login.zkiki.xxxxxxx.com/account/app/svc/Login.htm
secure.square-enix.com.login.q-xk.xxxxxxx.com.ar/account/app/svc/Login.htm
secure.square-enix.com.login.iius.xxxxxxx.com.ar/account/app/svc/Login.htm
secure.square-enix.com.zcls-cey.usa.xxxxxxx.com/account/app/svc/login.html
secure.square-enix.com.qacc.cn.xxxxxxx.com/account/app/svc/Login.htm

Figure 1 – Square Enix phishing URLs

Figure 2 – Fake Square Enix login page

Other URLs directed users to forum pages promoting fake game giveaways or phony petitions protesting an alleged game change by Square Enix. These forum pages then tried to obtain login credentials or redirect a user to pages designed to download Potentially Unwanted Program (Adware) on their device.

Figure 3 – Fake giveaway luring users to a phishing page

These threads on Reddit and a Square Enix forum suggest this phishing campaign was also spread using the in-game chat feature, whisper. Attackers frequently use communication channels other than email to avoid/delay detection.

Targeted phishing attacks often follow press releases and major events like Amazon Prime Day and national holidays. The best thing users can do is slow down and closely review emails and links before clicking calls to action, entering information, or opening attachments.

You might also like

Safe Links in Office 365

Safe Links is a feature of Microsoft Defender for Office 365 (formerly known as Advanced Threat Protection) that helps protect from users clicking on malicious URLs. Proofpoint calls their version, URL Defense. Mimecast calls theirs, URL Protect. All these feature...