Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Square Enix Phishing Campaign

by Joy Celine Faltado

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021.

During this period, we detected a total of 47,076 URLs for an average of about 1,700 per day. The attacks disappeared just as fast as they appeared. Between August 17 and September 1, we detected 1,105 Square Enix phishing URLs for an average of 70 per day.

The URLs were hosted across 20,730 unique domains. Most of the phishing URLs led to fake Square Enix account login pages.

secure.square-enix.com.c.dq-jp.xxxxxxx.com.ar/account/app/svc/Login.htm
secure.square-enix.com.jjp.cn.xxxxxxx.net/account/app/svc/Login.htm
secure.square-enix.com.login.zkiki.xxxxxxx.com/account/app/svc/Login.htm
secure.square-enix.com.login.q-xk.xxxxxxx.com.ar/account/app/svc/Login.htm
secure.square-enix.com.login.iius.xxxxxxx.com.ar/account/app/svc/Login.htm
secure.square-enix.com.zcls-cey.usa.xxxxxxx.com/account/app/svc/login.html
secure.square-enix.com.qacc.cn.xxxxxxx.com/account/app/svc/Login.htm

Figure 1 – Square Enix phishing URLs

Figure 2 – Fake Square Enix login page

Other URLs directed users to forum pages promoting fake game giveaways or phony petitions protesting an alleged game change by Square Enix. These forum pages then tried to obtain login credentials or redirect a user to pages designed to download Potentially Unwanted Program (Adware) on their device.

Figure 3 – Fake giveaway luring users to a phishing page

These threads on Reddit and a Square Enix forum suggest this phishing campaign was also spread using the in-game chat feature, whisper. Attackers frequently use communication channels other than email to avoid/delay detection.

Targeted phishing attacks often follow press releases and major events like Amazon Prime Day and national holidays. The best thing users can do is slow down and closely review emails and links before clicking calls to action, entering information, or opening attachments.

You might also like

What is Microsoft Office 365 Advanced Threat Protection?

Office 365 Advanced Threat Protection (also known as ATP and Defender) can provide your organization with advanced security features - keeping you protected from cybersecurity threats. With today's cybersecurity landscape, where new threats appear daily, if not...

The Hidden Costs of Phishing & BEC

By Max Avory A couple of months ago we sat down with Damian Stalls, vCIO director at Fluid Networks to discuss how they dramatically reduced the time their security analysts spent managing the problem of phishing, BEC, and user education. Here were some of the...