Netcraft blocked more than 1,400 Steam phishing URLs last month, spread across 331 different websites. Surprisingly, more than 90% of these sites were hosted by just one company: Hostinger.
With more than 125 million active accounts, Steam continues to make an attractive target for fraudsters. The number of phishing attacks targeting Steam rose significantly last month, even though the fraudsters behind these attacks have had to change their tactics a few times. Last year, a popular ruse was to use Steam's own chat client to trick victims into visiting look-alike domain names similar to the genuine steamcommunity.com. This modus operandi continued into 2015, but became less effective after Steam started to remove suspicious links from chat messages.
Consequently, many Steam phishers have abandoned the idea of registering their own look-alike domains (only two were blocked last month), and are instead using subdomains provided by free hosting services such as Hostinger. These allow the fraudsters to host Steam phishing sites with addresses like steamcommuniity.hol.es, steampoweredssuport.esy.es and steamcomcoomity.16mb.com – not quite as convincing as the hostnames used in previous attacks, although the deliberate misspellings are similar.
Lithuania-based Hostinger provides many different second-level domains under which its customers can host a website, and the most common ones used in these attacks were esy.es, besaba.com, 16mb.com, wc.lt, hol.es and pe.hu.
Free hosting providers are an obvious choice for fraudsters who wish to carry out phishing attacks without leaving a financial trail. Hostinger's offerings look particularly conducive for phishing, as they do not display ads on their customers' sites, and they provide support for PHP (nearly all phishing kits are written in PHP).
Nonetheless, the incredible popularity of Hostinger within the Steam phishing arena is rather unusual. While Hostinger was used to host over 90% of all Steam phishing URLs, it hosted only 0.6% of all other phishing attacks that were blocked during March.
This preference of using Hostinger could suggest that the fraudsters behind most of these Steam phishing attacks are working together or copying each others' methodologies. In addition, there are examples of phishing sites that have remained up for long periods of time, which makes it an attractive hosting location for phishers. The hostname steamcomcoomity.16mb.com (shown in the earlier screenshot) has been serving a Steam phishing site from Hostinger's infrastructure since last year and is still serving it at the time of writing.
Netcraft provides a Phishing Alerts service for hosting providers and domain registrars who are unwittingly providing facilities for phishing. Brand owners can also use Netcraft's Takedown service to identify phishing attacks against them and get fraudulent sites shut down.