Getting phished like a champion

by AJ "Tyron" Martinez @ • September 18 2019

I made a dumb mistake and probably should have lost my FFXIV account for it. The powers running the world are merciful, and I didn’t lose anything besides a small amount of ego, so I guess I should probably scratch down something about how I almost owned myself.

The hook: A fake broadcast from a notable FFXIV streamer, on an account with a similar name, that’s been viewbotted to the top of the directory with a sensational title. Below the stream, there’s a link that you can click to learn more about the circumstances behind the sensational title, ostensibly on The Lodestone, the FFXIV official forums. This link leads you to a clone of the Lodestone login page. You enter your credentials, hit Login, and nefarious online ne’er-do-wells hijack your account, instantly ruining your life.

You might think I’m a dumbass for falling for this, and you’d be right.

The part of the article where I scrubquote about phishing attacks

That setup is basic stuff. Not exactly nation-state level cyberterrorism. Even worse, I’d actually heard about the template before—RMT sites are alive and well, and most of their cash flow comes from stolen accounts like this. Because of that, I’m typically quite wary of these situations; any of a number of details would have made me instantly distrustful, but I missed some of them and simply couldn’t see the others.

I wasn’t really paying a whole lot of attention.

The other stuff I’m listing is interesting trivia that might help you to be slightly more aware if you’re in a similar situation, but I went into things super relaxed, distracted while chatting with a housemate, and wasn’t particularly vigilant. Oops.

I wasn’t able to see the empty stream chat.

Obviously, 800 viewers and a silent chat is a huge red flag, but I had brought the stream up on our living room TV, and the Android smart-tv app gives you fullscreen video and no chat by default.

I actually have no idea why Twitch, or any service using a Markdown parser, allows Markdown links that have an entire URL in their “title”; there seems to be no reason to do that unless you’re trying to mislead someone about where a link is actually going. “Oh, that URL looks legit” dropped my guard a little—dumb idiot mistake, yeah, I’ll take the L, but is there even a valid use case for this?

My mobile browser didn’t show the entire domain.

If you can’t get a one-letter misspelling or a hilarious homeograph attack, just shove a bunch of shit into the subdomain to push your shady TLD off-screen; hell, use sub-subdomains so that you can hide a fake TLD in a subdomain! I think the latter is common practice in these kind of attacks, but most of the instructive examples of this kind of thing use an example like—nobody covers subdomains 80 characters long or whatever.

The URL didn’t look wrong at a casual glance, and it was easy to miss the one or two characters out of place while not paying attention. If the full URL had been visible, the actual domain would have been a dead giveaway. Seriously, it looked about as legitimate as

(By the way, let me scrubquote about this one again; if you’re visiting a site with wackass sub-subdomain structure, maybe your browser should give you a little nudge or adjust the way it displays the domain. I think mobile Chrome’s behavior might be to display domain.tld and ignore all the subdomain shit, but I’m not certain, and Firefox definitely doesn’t.)

I expected the FFXIV official forums to be a technical dumpster fire.

This is probably my favorite. When I loaded up the page expecting to see a forum post and saw a login form instead, my first reaction was not “hey, wait, it makes no sense to require a login to view a forum post”, but “god damn, everything about Square’s web setup is fucking ass.” Past interactions with The Lodestone had me expecting hidden information, unclear gating and random fuckery. Seriously, go try to search a player by name, the amount of hidden menus involved is weird.

I don’t think this makes Square meaningfully at fault, or that there’s much they could have done to stop me from shooting myself in the foot given enough determination. I’m including it here just because I find it funny.

So you owned yourself, now what

The fake login page dropped me on the legit Lodestone news section. I only realized I’d gotten phished after poking around for a few seconds and realizing that there was definitely no forum post here. The scammers didn’t bother to fabricate anything beyond the login page because, well, why would you?

As soon as I realized I’d made a mistake, which took embarassingly long, I rushed back to my desktop and tried to log into my account from the real portal. When it worked, I rushed to change to a new random password (which, holy fuck, doesn’t require email confirmation), then turned on 2FA and checked my character for missing items. Somehow, everything was intact.

Why was I able to do this in time? Maybe the form was broken, maybe the scammers handle accounts in batches, maybe Square had some location-based security shit that saved my bacon. I’ll probably never know, but I could easily have been a millisecond away from losing that account. If you are dumb, like me, and make mistakes like me, act quickly and do what you can to protect yourself, because it might actually work?

Also, this one is obvious, but use 2FA from the start, even if it seems annoying. Typically, I use it for everything I can, but Square’s account system requires a proprietary authenticator app that has a reputation for being buggy and forgetting your secret keys at the worst times; this had happened to me last year, and after I had convinced support to remove my 2FA requirement, I never bothered to set it up again. If I had bothered, it would have protected me here, or at least bought me some time while the scammers attempted to convince support to remove it.

(Maybe I’ll get a hardware key.)

Regardless, if I wasn’t using random passwords and a password manager, this would have been really bad. Instead of changing the password to a single account, I would have needed to change the password to about 200, and that leaves plenty of time to have an account taken over, assuming you even remember every site and service you’ve registered with. So I get to feel like I did something right in this situation, even though I did almost everything wrong and survived almost entirely based on mysterious luck.

This could have been avoided if I had seen even one of the cues I’d missed, but the few that I typically look for were all camouflaged in this case, and I wasn’t dilligent enough to catch anything else. I think this can probably happen to anyone who’s sufficiently distracted and doesn’t habitually check everything. Lesson learned, empathy gained. I’m a dumbass.