Free cheese exists only in mousetraps, but businesses everywhere have been desensitizing people to the idea of freemium cheese for years.

The freemium approach is especially prevalent in the gaming industry. Game developers and publishers commonly offer users minor but genuinely free goodies — the expectation being that the gamers will get sucked in and end up spending on in-game purchases. The addictiveness of freemium cheese is what cybercriminals are exploiting when they offer giveaways of rare items for the hit title PUBG Mobile.

Giveaway for PUBG Mobile’s new season

The mobile multiplayer shooter recently launched a new season with items, monsters, and mechanics imported from another popular shooter, Metro: Exodus. No sooner had it gone live than numerous websites appeared offering the chance to win new items.

Phishing pages with a Lucky Spin giveaway for the new season of PUBG Mobile with Metro: Exodus

Phishing pages with a Lucky Spin giveaway for the new season of PUBG Mobile with Metro: Exodus

They all look pretty much the same: distinctly gamer-themed with PUBG Mobile and Metro: Exodus branding, plus an invitation to spin the wheel to win one of the items depicted on it. Those who know PUBG Mobile are probably familiar with this wheel; at the start of each new season, the developers of PlayerUnknown’s Battlegrounds offer the chance to get unique items by spinning such a wheel. It’s called the Lucky Spin, and it’s basically a win-win (or at least a no-loss) lottery because spinning the wheel doesn’t cost any points, but it could yield a spanking new gun.

Phishing pages with Twitter or Facebook login — a familiar option for PUBG Mobile players

Phishing pages with Twitter or Facebook login — a familiar option for PUBG Mobile players

To receive the item, all you need to do is log in to your account. This stage offers two options familiar to PUBG Mobile players: log in with Twitter or log in with Facebook. Either option, however, results in an error message.

If you try again, it’ll seem to work, but the page will then ask for additional account information including character name, phone number, and PUBG Mobile account level. Enter those and the system will return a positive message: Your winnings will arrive within 24 hours.

Form for entering additional data, supposedly to verify the user's PUBG Mobile account, and confirmation that the item will be available within 24 hours

Form for entering additional data, supposedly to verify the user’s PUBG Mobile account, and confirmation that the item will be available within 24 hours

How PUBG Mobile/Metro: Exodus phishing pages work

Unfortunately for the player, the item will never arrive. All of the pages — our researchers came across 260 of them in just a few days, and their number continues to grow — were created by scammers. They have nothing whatsoever to do with Tencent, the developer of PlayerUnknown’s Battlegrounds, or the creators of Metro: Exodus. The sites’ purpose is to steal gamers’ data.

First, they grab Facebook or Twitter login credentials. The calculation here is that between the user’s desperation to get hold of the new item, and the pervasiveness of using a social network login for another app, their suspicions won’t be aroused.

But the scammers go one step further, asking for additional information, such as phone number and PUBG Mobile account level, apparently to help them evaluate the account’s resale value.

How to avoid PUBG Mobile phishing

The attackers prepared thoroughly for the start of PUBG Mobile‘s new season; the pages with item giveaways are very convincing in terms of both design and requested actions. Still, on closer inspection, certain phishing elements give away the giveaway, so to speak.

  • Any item giveaway outside of PUBG Mobile’s official website or the game itself is almost certainly a scam.
  • If the site URL is not pubgmobile.com, do not enter anything; just leave immediately.
  • If a promotion is real, the game developer is unlikely to keep it a secret. Check their social media channels and the game’s official website. It’s important to make sure you’re checking the real accounts or sites. Also keep in mind that even real sites and accounts can be hacked (which has happened — and not just once).
  • Spotting convincing scams takes a keen eye — and sometimes even that’s not enough. Therefore, we recommend using a reliable security solution that blocks dangerous Web pages to protect you from online scams and phishing.

Tags: