Facebook phishing with PUBG Mobile spoofing page

Posted byAnti-phishing Leave a comment on Facebook phishing with PUBG Mobile spoofing page

A phishing campaign targeting PUBG Mobile players uses fake “Lucky Spin” pages to steal Facebook credentials by promising free, exclusive in-game rewards. These deceptive websites mimic official branding and capture user data via fraudulent login forms, leading to account theft and potential sale on the dark web. To protect your account, only trust promotions from official PUBG Mobile channels and enable two-factor authentication.

This screenshot shows a phishing page impersonating Facebook, luring victims with a promise of an “Additional Reward for Season II” for PUBG MOBILE. The page asks for the victim’s mobile number or email address and password to “connect” the game account.

Threat Analysis: Facebook / PUBG Mobile Phishing – Credential Harvesting

How it works:
The victim receives a link via social media, SMS, or messaging app promising a free reward (e.g., in‑game currency, skins, or other bonuses) for PUBG Mobile. The link leads to this page, which mimics the Facebook login interface. The victim is told they must log in with Facebook to claim the reward. When they enter their phone number/email and password and click “Log In,” the credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Access the linked PUBG Mobile account (and any other connected games or services)
  • Post spam or malicious links from a trusted account
  • Use the same email/password combination to compromise other accounts (credential stuffing)
  • Sell the account or its data on criminal markets

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not facebook.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Reward lure: Facebook does not offer “season rewards” for PUBG Mobile via a login page. This is a common gaming scam tactic.
  • No personalization or security indicators: The page lacks the security badges, privacy shortcuts, and personalized elements (e.g., profile picture, saved account) that appear on a real Facebook login page.
  • Unsolicited reward offer: Any unsolicited message promising free in‑game currency or rewards in exchange for logging in via a link is almost certainly a scam.

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always access Facebook by typing facebook.com directly into your browser.
  • Claim in‑game rewards only through the official game app or store – never through external links.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any unsolicited message that asks you to log in to claim a reward.
  • Never log in to Facebook via a link sent in a message or posted on social media.

Leave a comment

Your email address will not be published. Required fields are marked *