Winter is finally over. Fans of Game of Thrones can finally warm up and, like a hungry dragon, begin to devour the final season of their favorite TV series. Unlike this fantastic series, however, the multiplicity of phishing scams for fans is very real, and there are many other threats, such as malicious software transmitted through torrent sites.
Check Point Research recently discovered a new malicious activity that seeks to abuse unsuspecting fans. Below is an example of a website that uses the official image of the TV series as a legitimate contest for fans to win Game of Thrones gift boxes. In the end, no gift is sent, and the site collects email addresses and mobile phone numbers from Internet users to probably use them in future spam campaigns.
Fig 1: Example of the phishing site exploding the Game of Thrones brand – gameofthronesratings[.]with
Another example provided below is dishonestly collecting credit card information from Internet users, pretending to be an official Game of Thrones store.
Fig 2: Example of site disguised as official online store of Game of Thrones – gameofthronesofficalshop[.]with
Many Internet users can tell the difference between a real site and a fake site, but the use of trusted brands like Game of Thrones is the preferred method of hacking to convince Internet users that an email has been received or website viewed is reliable.
Understanding the threat
The sites that we saw under the Game of Thrones brand can be divided into two main categories: legitimate sites and fraudulent sites. Even though the sites in these two categories use the popularity of the TV series to attract fans, their motivation is quite different. Legitimate sites include fan pages, online games, or smaller shopping sites, looking for prospects or new members for their communities, as shown below.
Fig 3: gameofthronesgifts.com – Shopping site
Fig 4: gameofthronesgifts.com – Fan Site
Fig5 realgameofthrones.com- Online Game
On the other hand, fraudulent sites exploit brand popularity to display ads, acquire personal information, or persuade Internet users to install an unwanted program.
These are mostly sites that request personal information for marketing purposes, fake streaming sites asking users to download a browser plug-in and provide personal information without any content being disclosed at the end of the process. .
Fig 6: gameofthronesof.com – fake streaming site
Fig. 7: gameofthronesratings.com – Site requesting personal information
How ThreatGuard can help
ThreatGuard is a SaaS product that scans a company's resources on the Web and informs them when threats such as similar domains, exposed accounts, vulnerabilities, and open ports with risks are detected. In the examples above, to find sites that explore the popularity of Game of Thrones, we use the domain search feature.
ThreatGuard allowed us to locate similar domains in a short time and focus on a more in-depth analysis of the threats presented. We used a keyword query "gameofthrones" in ThreatGuard and we got dozens of results. After extending the search for more common words related to the Game of Thrones series, such as names of characters and known passages, we could find many other areas.
Fig. 8: The ThreatGuard main panel
ThreatGuard also allowed us to focus our research on a specific word, domain severity, active domains, and more. For the areas considered most interesting, we consult them safely through the ThreatGuard solution and review their history. This allowed us to investigate suspicious domains without harming our hosts and understanding them better. In case of discovery of a malicious domain, we automatically request your removal from your registrar.
Fig. 9: Review of a similar domain
How to avoid being the victim of a phishing attempt
Of course, you may not become the next victim of a phishing attack:
1. When taking a step back before clicking. You can click on links from trusted sites. But the links that appear in emails and instant messages usually do not lead to safe destinations. Hover over the links you are not sure before clicking on them to make sure they are going where you are going.
2. Make sure that a website URL begins with "https" and that a closed padlock icon is present near the address bar.
3. Verifying that the domain name of the site corresponds to the one you want to consult and trust. If this is not the case, you may be about to become the next victim of a phishing scheme.
4. Ensure that you have an advanced threat-prevention solution, such as the Check Point SandBlast Agent and zero-phishing protection.
The following list of sites that use the Game of Thrones brand was compiled by Check Point and categorized by our analysts:
Blog / News:
By Oren Koren and Hadar Waldman, CheckPoint