Young gamer playing a game

Final Fantasy 14 players targeted by QR code phishing

Final Fantasy 14, the smash-hit online role playing game, is under fire from scammers. The attack is a devious way to try and compromise player accounts, making use of free item promises and bogus QR codes.

As the game is a constantly changing service, it’s almost impossible to keep up with new features, offers, and content. The developers announce these changes on their blog, The Lodestone. What’s being talked about at the moment is the QR code-centric phishing attack.

The developers write:

As we have mentioned in the past, we have confirmed that certain individuals are attempting to direct players to fake login websites which imitate the Square Enix Account Management System in an effort to steal (also known as “phishing”) information such as their Square Enix ID and password, as well as date of birth.

Please also be aware of the following methods used to direct players to fake pages:

・Using FFXIV in-game chat to direct players to fake pages imitating Square Enix websites, including the Support Center, the Lodestone, and the official FINAL FANTASY XIV Forums.

・Including a QR code in an image disguised as an official Twitter or forum post, and scanning the QR code displays fake pages.

・Disguising as a FFXIV game play video with a link to fake pages as part of the video or in the description.

Before opening any URLs, we urge you to confirm that they are legitimate and not a fraudulent imitation.

How the QR code phish attack works

Thanks to players grabbing screenshots, we can show you what these attacks typically look like.

Scammers send direct messages (tells) to other players. Many of the accounts sending these messages appear to have been hijacked themselves. A link is sent to the victim, directing them away from the game to image hosting services.

What waits for them is a screenshot of a faked Tweet from the official Final Fantasy 14 account.

It reads as follows:

We’ve decided to sneak another mount into the 6.2 release. Scan the QR code to automatically add the mount. This mount is only available until 4th September, after this date the mount will become tradeable and will be the only way to own this, so claim it now.

Mounts, pets, and other in-game items can be quite expensive. As a result, any promise of free items will no doubt catch some attention. Scanning the QR code will take the would-be item grabber to a fake login portal. Once the account is stolen, the scammers are free to use it to continue the phishing antics. Gaming accounts with a lot of in-game funds or items attached are of course very valuable. Depending on the game and how trading works, they may sell the account, or items, or trade other content. Final Fantasy 14 players are also at risk due to the perils of Real Money Trading. Often, phishing feeds into this activity too.

Avoiding the scam

In terms of bogus websites, Square Enix has this advice:

The Square Enix Account Management System complies with EV SSL certification. Should a website ask for your Square Enix Account information, please make sure that the website is legitimate before entering any information. On certain web browsers, the address bar will display an icon indicating the website’s security certificate. On a legitimate Square Enix Account Management System login page, clicking this security icon will display references to “SQUARE ENIX CO., LTD.”

* On a legitimate website operated by SQUARE ENIX CO., LTD., no other pages apart from login pages will require password entry, nor will any of our staff ever ask you for your password.Examples of characteristics used in phishing URLs:

* The “s” is missing from “https” in the URL of the login page. The fake website will display http:// in the URL.

* The hyphen symbol is missing from “square-enix.” The fake website will display variations of “squareenix” in the URL.

* The letter “i” is replaced with various characters like “l” or “j.” The fake website will display “square-enlx” or “square-enjx.”

* The “com” in “” is replaced by various domains.

In terms of additional account security, you can make use of a One Time Password to further bolster your security defences. This can be done via an app, or through physical hardware tokens.

QR code scams are very popular in Final Fantasy land, and you can bet they’ll come back around in another form in the near future.

Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.