Spotting Fake Indie Game Key Requests

Posted March 11th, 2021, updated April 4th, 2021 in game-development

If you're an indie game developer, you will very likely see key requests from bad actors trying to get game keys to sell. It's par for the course unfortunately, but it's increasingly difficult to distinguish genuine review requests from fake ones (especially when juggling a game release).

I recently released a game on Nintendo Switch after releasing it on Steam a year prior, and I noticed a big increase in how sophisticated the illegitimate requests were for the Switch release.

  1. Fake Review Sites
  2. Mimicked Email Addresses

Fake Review Sites

Fake review sites are websites which look like real news sites at a glance, however on closer inspection include copied and pasted content from other websites. This is especially hard to tell when the website uses a foreign language, such as Persian or Russian.

A fake Russian game review site

If you're not expecting these they're harder to spot, because the content looks real. However, there are few tell-tale signs the site is not a real review site:

  • There are no references to it on social media, no official accounts for the site
  • Googling phrases in content on the site yields results from other, similar fake websites

Another fake review site in the Persian language

I received a few of these requests from the below domain names, always via email, all fake sites:

parsjoy.com, gamovich.com, gameruss.com, gameinja.com, gamingles.com, russplay.com, irgreview.com

At the time of writing, if you look up the domains on who.is, you'll see that:

  • The hidden contact information for the domains is identical (in this case an address in Malaysia)
  • The DNS information for the domains is also the same (CloudFlare for HTTP, Rackspace for email)
  • The email requests usually look identical, with a small contact card at the footer:

I contacted the abuse departments for CloudFlare and Rackspace with the domains I received fake key requests from, though got no response.

Mimicked Email Addresses

Scammers will register an email address which looks visually identical to an official email address. For an extreme example, compare

test@example.com

with

test@еxamplе.com

The first email address uses the domain example.com. The second email address appears to use the same domain, but if you try to search this page (CTRL + F for example.com), the second email address doesn't match.

That's because it uses the Cyrillic version of е, instead of the Latin version of e (which are visually identical in most fonts).

To identify this scam, always copy the email address you receive the key request from, and verify it's the same email address listed on the YouTube channel/Twitch profile using CTRL + F.

Tagged website email fake domain game key release switch addresses language

Comments

Please click here to load comments.