MSI are an extremely well-known manufacturer of all sorts of tech devices, with a particular flair for high spec gaming laptops. In fact, they tend to be used as bait in a lot of online scams, especially where competitions, drivers and VoIP are concerned. We recently came across a site located at
msi-games(dot)com
which has since been taken offline, and seemingly mashed up content from a variety of sources to present a convincing representation of an “all in one” hub. You want Teamspeak, MSI Speaker or even an Anti-Cheat for the upcoming “competition”? It’s all here, in one tidy package.
Sort of.
The competition the site used as bait was “ESL One Katowice 2016”, a Counterstrike Go event which is an actual real thing. Note that the website up above also contained what appeared to be a YouTube video claiming “Win 50,000$ and CS:GO Weapons just watching matches”.
For a split second, it claimed you needed to install the latest version of Flash to watch it but clicking revealed nothing. Maybe there was supposed to be a download there, but at time of writing it wasn’t active in any way (and it’s even more inactive now, given the site has gone boom).
Elsewhere, we had VoIP chat mentions with a (missing) Google Drive download:
Two potential download candidates, two total absences of a file to download. Third time’s the charm? Well…
Up above we’re being given a supposed Anticheat program, served from a Google Docs location. The file is your common-or-garden Malware, and users of Malwarebytes Anti-Malware will find we detect it as Trojan.Injector.MSIL.
Of course, with fakeouts such as the above it’s a given that you’ll get some generic Malware at the end of it, and from there the stage is set for anything from Steam account theft and damage to your OS to Cryptolocker, desktop screenshots and pretty much anything else the scammers can dream up.
The focus here should be on the tricks of the trade used by said scammers to lure people in the first place. With that in mind, then, the most common scams we tend to see are the following:
1) Big Name Fakeouts:
Often targeting well known names in gaming peripheral circles, these scams frequently have ties to other Steam / related gaming credential theft services.
If in doubt, you should always check out lists of official websites. Clues that you may be on a dubious imitation will include horribly amateurish typos, mentions of “We also do this thing with the assistance of (absolutely fake sounding hacker nonsense goes here)”, and downloads from free webhosts / Google Drive etc. If you see survey offers or additional downloads seemingly unrelated to what you’re trying to grab, there’s a good chance you should back away slowly at that point.
2) Stat Tracking
Many fake voice comms sites make use of URL shorteners which provide stat tracking, so they can easily work out how many downloads / visits they’ve had. You can put this to your advantage if the URL shortener has public stats available. In the below example, you can see a goo.gl shortened link:
We can add a .info to the end of the shortened URL which will take us to the stats page, and:
We can see that the URL leads to a Google Drive hosted file. As above, this would be a potential red flag as most if not all major peripheral makers offer downloads from their own servers. At the very least, I can’t think of anybody doing it from services such as the above.
3) It isn’t always Amateur Hour
A lot of imitation pages scrape content directly from the real thing – or make use of people with actual design skills – in an effort to look as convincing as possible. Just because many fake sites look horrendous, it doesn’t mean a good looking site is automatically the real deal.
The page above is a fake, but it looks pretty decent (I mean, I’d have put the chatbox thing on the left but we can’t have everything).
Keep the above potentially suspicious signs in mind when dealing with a new voice chat download (and related games / peripheral device downloads, for that matter) and you’ll hopefully avoid serious problems.
Christopher Boyd
