Sophistication of phishing scams demonstrated by Steam gamer account attack

News

An example of how detailed and sophisticated phishing scams can be is provided by a current attack targeting Steam gamers - with financial loss now a concern.

Gamers are in the sights of attackers who have created an unusually sophisticated phishing scam to harvest Steam gaming accounts.  

The attack begins with spam comments advertising a fake Steam skin giveaway site, which allegedly gives away new skins everyday. Comments tempt users in with promos referring to a  '$30,000 giveaway' that contains 26 days of free skin giveaways for the popular Counter-Strike: Global Offensive (CSGO).

Once the user has clicked onto the fake giveaway site, a "Sign in via Steam" button is displayed, which when clicked will harvest user account details for the hackers. A spoof running chat window adds to the realism. 

Tarik Saleh, senior security engineer and malware researcher at DomainTools commented: "Phishing attacks aren’t always catered towards your financial or medical institutions, but can also affect personal gaming services. One of the biggest takeaways from this specific scam are the levels of sophistication and detail used in the attack, which you don't traditionally see in most phishing attacks. In this case, the attackers embedded Javascript to mimic conversations between fake users to appear to be more indicative of a legitimate service. Although not technically complex, it highlights the attention to detail these attackers went to make users feel comfortable divulging their Steam account information.

The web site also uses a valid and trusted TLS certificate, which gives additional trust to the site from various web browsers. Attackers are paying attention to what are common means to detect phishing attacks and adapting appropriately. These scammers have also built in means to handle multi-factor authentication hurdles (specifically with Steam’s SteamGuard service) by asking the user to provide the authentication code sent to their personal email address associated with their Steam account. This is a really effective tactic, since the attacker doesn’t need to compromise the victim’s mobile device or email account and has the victim relay that information on their own.

It’s important for people to be aware that phishing attacks aren’t always rudimentary, and this is a great example of how they are evolving and become harder to detect."

David Kennefick, product architect at edgescan explained that Steam accounts are increasingly valuable to attackers: "Micro-markets and in game microtransactions in gaming have introduced a monetary element for attackers, which opened up gaming platforms and its users to a wider set of attacks. Some skins and items can be worth hundreds or thousands of euros, so that makes them prime targets for attackers. If an attacker gets control of your credentials, it is game over for your Steam account. They will control all of your games and your in-game items. An attacker can just gift all of the items to themselves or a dummy account, and sell them off in the marketplace. It is difficult to trace and track it down in the Steam marketplace.

"Steam has a feature called Steam Guard which everybody should have enabled. It adds an additional level of security above your username and password. This can be enabled to register new devices and process transactions on your account. However, it will not help against malware on your machine stealing credentials or gifting items, and it will not be a full mitigation if the email address associated with your Steam ID is compromised."

The scam was detailed by Twitter user nullcookies, and appears to be just one example of many similar highly sophisticated phishing scams to be targeting Steam account holders. 

<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Picture-in-picture Steam phish using a bogus giveaway as bait. <br><br>giveavvay^.com <br><br>Of interest: webdev0^.com/base/js/faker_secrets.js <a href="https://t.co/tFJQgiLpmU">pic.twitter.com/tFJQgiLpmU</a></p>&mdash; nullcookies (@nullcookies) <a href="https://twitter.com/nullcookies/status/1200576466150477824?ref_src=twsrc%5Etfw">November 30, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews