“Super Mario Run” Scams Run Wild on Social Media

Super Mario Run, the biggest gaming craze since the epic PokémonGO mania this summer, is already the latest target of a legion of social media scams. Not even Mario can outrun them.

The game, which came out in mid-December, is Nintendo’s first Mario game for mobile devices. It made an estimated $14 million in its first 3 days on the app store, all of which came from a controversial $9.99 paywall that stops players after the first handful of levels. Although the revenue seems high, Super Mario Run has an abysmal 8% conversion rate from the free version to the paid. To make matters worse, the game has been fraught with technical glitches, earning a slew of 1-star ratings in the app store. Despite the list of drawbacks, users have flocked to download the app, some of whom are even forking over $9.99 for the paid version. But now add another item to the list of drawbacks -- scammers have flocked to capitalize on the game as well.

Social media has become the super highway for all types of scams. Scams on social media range from financial scams to fake holiday coupons to malvertising. We’ve observed hundreds of Super Mario Run scams, most of which take one of a few different forms:

• Free Download Scams - by far the most common scam exploits the controversy around the $9.99 paywall. Scammers have created hundreds of fake social media accounts advertising free downloads or “hacks” to get around the paywall. Some of these accounts boast thousands of followers (see below for screenshots). All involve entering some very questionable URL or shortened link on your phone and downloading the locked levels.
• Free Coin Scams - the in-game currency of the game is coins that Mario picks up along his travels. Once again, they advertise shortened and suspicious links to claim the dubious prize.
• Hashtag Hijacking - some accounts don’t purport to give you free stuff around Super Mario Run, they simply hijack trending Mario hashtags to advertise their otherwise scammy links (“watch Rogue One free now!”). The popularity of the game is such that even non-Super Mario Run accounts are picking up its language and hashtags to spread their malicious content.

So what do all the links do? It seems to span the gambit, but you guessed it, it’s nothing good. Most of them, about three fourths, redirect to phishing pages that attempt to extort users into providing financial information. Some of them go to slightly more benign pages like ad farms and run of the mill spam sites.

The most prominent group of links, just over 70% of them, lead to variants of #####.getmariorun.com. After landing at this site, victims are presented with a banner giving them the opportunity to “Unlock Full Game Free!”, and then are finally redirected to a survey site asking for credit card information and other PII. These phishing pages claim the only way to get the “free” levels is to put in the sensitive information.

Many links redirect to survey sites asking for credit card info and other PII.

So far, the automated ZeroFox Platform has identified 341 malicious accounts (and growing), disseminating as many or more unique malicious links. The nature of social media is such that these numbers may be drastically different by this evening. They may be different within 5 minutes. The only thing we can say for certain is that they’re on the rise. Many of the accounts have been live since as early as late November, before the game was first released. Even if a fraudulent account gets taken down, building a new one takes only 10 minutes and a coffee-shop internet connection.

Although the payload ends up on your mobile device, it’s on social media where these scams live and flourish. Scammers advertise their wares on social so they don’t need to submit anything to the mobile app stores, which are tightly monitored. As such, they fall out of the purview of many external mobile threat monitoring services. Because the scammers urge you to click the link directly from YouTube, Instagram, Facebook or Twitter, the malicious content opens in a standard web browser. This is not a good sign and bypasses many security protocols built into the phone and the app stores.

The rule of thumb with these scams is obvious: don’t click them under any circumstance. Even in YouTube videos demonstrating how well the “hack” works, the scammer reveals the URL redirecting countless times and triggering all sort of warning within the phone. Of course, you’re told to ignore them. At the end of the day, you’ll download unknown content from outside a monitored app store. It should go without saying that this is never a good idea. It can lead to a variety of things, but you can be sure it’s not unlocked levels.

As part of our FoxThreats program, ZeroFox has built FoxScript rules that automatically alert our customers to these malicious accounts and URLs. To learn more about the ZeroFox Platform, visit the platform page of our website.

For anyone trying to figure out a work around for the paywall -- don’t. Either spend the $9.99 or don’t download the game at all. Your device and your security team will thank you.

Instagram:

Twitter:

YouTube:

Facebook: