This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Attackers home in on Steam gamers with help of Ramnit Trojan

Share this article:

Users of the popular video game distribution service Steam are being targeted by a Trojan that steals their login credentials and defeats the service's password encryption mechanism by using HTML injection.

According to security firm Trusteer, which specialises in fraud prevention services, attackers have been on a campaign to obtain Steam users' login data since mid-July.

Etay Maor, fraud prevention solutions manager at Trusteer, detailed the attackers' exploits in a blog post on Monday, revealing that a variant of the Trojan Ramnit was being used to compromise gamers.

A major software service that provides users access to more than 2,000 games, Steam has around 54 million members and is owned by US, Washington-based software company Valve.  

Steam was the victim of a massive breach back in November 2011, in which hackers accessed the personal data of up to 35 million users contained in a database.

This time however, the vandals targeted individual users, Etay said.

Once users are infected by Ramnit, attackers wait for victims to log in to their Steam account, at which point miscreants use HMTL injection to capture passwords, which are normally encrypted by the site, in plain text. To ensure that Steam's operators are none the wiser to the attacks, the malware also removes the injected code before the information is sent to Steam's website.

Maor described the man-in-the-browser (MitB) style attack on Trusteer's blog.

“To avoid detection, Ramnit simply makes sure the server never sees the injection,” he wrote. “To do so, prior to the [username and password] form being sent to the website, Ramnit removes the injected element. This can be observed in the first part of the code.”

In an interview on Wednesday, Maor told SCMagazine.com that some researchers have begun to move away from strictly categorising malware such as Ramnit as 'banking Trojans' because variants are increasingly being repurposed to go after users at other sites.

“They are targeting everything – gaming services, dating sites – if there's a username and password associated with it, they are going to target it at some point,” Maor said.

Services such as Steam are particularly attractive for crooks, Maor added. Gaming software is usually more vulnerable to attack, considering users tend to disengage their firewalls, security solutions or any other programs that could slow down their systems while they are gaming, he explained.

“If you get access to a Steam account, you can [carry out] identity theft of the gamer, like buy games and send them as personal gifts to other people," Maor said. "It's pretty similar to getting bank account access – their [profile] is now open and you can change their email or other account information. The last option, of course, is to just sell the credentials on an underground forum."

It is unclear how many people have fallen victim to the latest wave of attacks.

SCMagazine.com contacted Valve, Steam's developer and owner, but did not immediately hear back from the company. Per policy, Maor said Trusteer contacted Valve prior to disclosing information about the attacks.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

SharePoint users break own security rules

SharePoint users break own security rules

Privilege controls can work, but cannot cater for all eventualities, says Quocirca analyst Rob Bamforth.

Heartbleed slows down the internet

Heartbleed slows down the internet

As Hearbleed slows down the internet, experts say that two-factor authentication may the way forward to protect our web sessions.

Biometric data collection sparks privacy debate

Biometric data collection sparks privacy debate

You could be implicated as a criminal suspect, just by virtue of having that image in the non-criminal file, says the Electronic Frontier Foundation (EFF).