Warning: beware of fake TibiaMaps.io copies!

Wanna-be hackers script kiddies are setting up fake copies of TibiaMaps.io that offer malicious downloads instead of our legitimate downloads. People are buying Google ads to make these phishing sites appear at the top of search results for queries such as “Tibia maps”.

In the above screenshot, the first two results are ads leading to phishing sites that serve malicious downloads. The real TibiaMaps.io website is only the third result (i.e. the first non-ad result).

What can I do to protect myself and others?

Don’t visit TibiaMaps.io through Google Search! You might accidentally end up on one of the fake sites instead. Either bookmark TibiaMaps.io right now, or — if you ever forget our URL — go to the supported fansites list on the official Tibia website and click through from there.

If you come across one of these fake websites, please do the following:

  1. Report the phishing site to Google’s Safe Browsing team. This way, others visiting the website might get an automated warning message.
  2. Let us know about the fake website (we’re on Twitter and Facebook) so we can report it as well.

What happens if I run their malicious downloads?

Some Polish dude who goes by the name of Gacek Sorcerer grabs your credentials and ruins your Tibia account. (He has been setting up other Tibia-related phishing websites too, e.g. about Tibialyzer.)

Let’s take a closer look at their malicious downloads, named Tibia 10 maps.exe and Tibia 11 maps.exe. These are self-extracting executables made with WinRAR. (Note: they can be extracted from the command-line using e.g. unrar e 'Tibia 11 maps.exe'.) Each of them uncompresses to two files:

  1. Tibia10_maps.exe or Tibia11_maps.exe — exact copies of our legitimate executable downloads
  2. checking_version.exe — a highly suspicious and malicious file

The latter is most likely a keylogger. The VirusTotal report reveals that this program copies itself to %APPDATA%\srchost\srchost.exe and adds a startup item to C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\srchost.eu.url, ensuring the keylogger runs every time the system boots up.

The SHA-256 checksums of the known malicious files are listed below. (Of course, these people could easily create new malicious files that hash to different values.)

$ sha256sum malicious-fake-downloads/Tibia*
fb602c7d532118e232b1fbf9c313375c772b0a2b6e65f044003d9671aa4c02e7 Tibia 10 maps.exe
712c585e23be3fe46bb02e934d4217de6a78002c72b02def1f904fe1bf203d49 Tibia 11 maps.exe

$ sha256sum malicious-fake-downloads/checking_version.exe
8591d50b58c84bb9fd5d48307ec00c6cf12840c6dbbf1bd2edb773a40e438051 checking_version.exe

$ sha256sum malicious-fake-downloads/srchost.exe
8591d50b58c84bb9fd5d48307ec00c6cf12840c6dbbf1bd2edb773a40e438051 srchost.exe

Stay safe, Tibians!