The phishing operation attempts to steal user account names and details from the popular teen online world.
Like other phishing sites, the attacker creates a phony page designed to look exactly like the Habbo site, said Face Time malware research director Chris Boyd.
However, said Boyd, the attack has one unique and worrisome feature: it actually logs the user into the site.
Boyd explained that normally, phishing sites will pass the user on to an " invalid login" screen after the details had been entered. This will often tip savvy users that they have just been phished, prompting them to access the actual site and change their details.
The Habbo phishing page, however, is embedded with a script which passes the login details to the actual Habbo Hotel site. In turn, the user is automatically logged in to the service, providing no clue that a phishing attack has occurred.
While the attack is currently limited to the Habbo Hotel service, Boyd worries that it could be used to great effect on more sensitive targets.
"If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again," he wrote.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
Local Government Focus Day Western Australia
Digital Leadership Day Western Australia
Government Cyber Security Showcase Western Australia
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
