Warning: beware of fake TibiaMaps.io copies!

Wanna-be hackers script kiddies are setting up fake copies of TibiaMaps.io that offer malicious downloads instead of our legitimate downloads. People are buying Google ads to make these phishing sites appear at the top of search results for queries such as “Tibia maps”.

In the above screenshot, the first two results are ads leading to phishing sites that serve malicious downloads. The real TibiaMaps.io website is only the third result (i.e. the first non-ad result).

What can I do to protect myself and others?

Don’t visit TibiaMaps.io through Google Search! You might accidentally end up on one of the fake sites instead. Either bookmark TibiaMaps.io right now, or — if you ever forget our URL — go to the supported fansites list on the official Tibia website and click through from there.

If you come across one of these fake websites, please do the following:

  1. Report the phishing site to Google’s Safe Browsing team. This way, others visiting the website might get an automated warning message.
  2. Let us know about the fake website (we’re on Twitter and Facebook) so we can report it as well.

What happens if I run their malicious downloads?

Someone who goes by the name of Gacek Sorcerer grabs your credentials and ruins your Tibia account. (They have been setting up other Tibia-related phishing websites too, e.g. about Tibialyzer.)

Let’s take a closer look at their malicious downloads, named Tibia 10 maps.exe and Tibia 11 maps.exe. These are self-extracting executables made with WinRAR. (Note: they can be extracted from the command-line using e.g. unrar e 'Tibia 11 maps.exe'.) Each of them uncompresses to two files:

  1. Tibia10_maps.exe or Tibia11_maps.exe — exact copies of our legitimate executable downloads
  2. checking_version.exe — a highly suspicious and malicious file

The latter is most likely a keylogger. The VirusTotal report reveals that this program copies itself to %APPDATA%\srchost\srchost.exe and adds a startup item to C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\srchost.eu.url, ensuring the keylogger runs every time the system boots up.

The SHA-256 checksums of the known malicious files are listed below. (Of course, these people could easily create new malicious files that hash to different values.)

$ sha256sum malicious-fake-downloads/Tibia*
fb602c7d532118e232b1fbf9c313375c772b0a2b6e65f044003d9671aa4c02e7 Tibia 10 maps.exe
712c585e23be3fe46bb02e934d4217de6a78002c72b02def1f904fe1bf203d49 Tibia 11 maps.exe

$ sha256sum malicious-fake-downloads/checking_version.exe
8591d50b58c84bb9fd5d48307ec00c6cf12840c6dbbf1bd2edb773a40e438051 checking_version.exe

$ sha256sum malicious-fake-downloads/srchost.exe
8591d50b58c84bb9fd5d48307ec00c6cf12840c6dbbf1bd2edb773a40e438051 srchost.exe

January 2019 update: Another fake TibiaMaps.io copy popped up recently, and it offered a separate set of malicious downloads. Here are their SHA-256 checksums:

$ sha256sum malicious-fake-downloads/Tibia*
863e332fb5f090a2d5607b72c7689ca1ed890a3cd18c2ed8aa48d0da3ecfdf71 malicious-fake-downloads/Tibia Maps 11.exe
0f1865471937332036323a409760771e55eea2789112057aaaa8fb6f97a739b2 malicious-fake-downloads/Tibia Maps 11.zip

March 2019 update: Another fake copy was spotted and reported to us. Here are the SHA-256 checksums of their malicious downloads:

$ sha256sum malicious-fake-downloads/Tibia*
6ed484ab91372b533136c1c0f3c1fbad4e83d721cbf0a36b3ccfe5f2a13a76fb malicious-fake-downloads/Tibia Map 11.exe
119d6abed6ebbb81f4e3bbc044b55b4a8dabdc9c951fe3a4e18332ea7af8b62b malicious-fake-downloads/Tibia Map 11.zip

Stay safe, Tibians!