Gamers are in the sights of attackers who have created an unusually sophisticated phishing scam to harvest Steam gaming accounts.
The attack begins with spam comments advertising a fake Steam skin giveaway site, which allegedly gives away new skins everyday. Comments tempt users in with promos referring to a '$30,000 giveaway' that contains 26 days of free skin giveaways for the popular Counter-Strike: Global Offensive (CSGO).
Once the user has clicked onto the fake giveaway site, a "Sign in via Steam" button is displayed, which when clicked will harvest user account details for the hackers. A spoof running chat window adds to the realism.
The web site also uses a valid and trusted TLS certificate, which gives additional trust to the site from various web browsers. Attackers are paying attention to what are common means to detect phishing attacks and adapting appropriately. These scammers have also built in means to handle multi-factor authentication hurdles (specifically with Steam’s SteamGuard service) by asking the user to provide the authentication code sent to their personal email address associated with their Steam account. This is a really effective tactic, since the attacker doesn’t need to compromise the victim’s mobile device or email account and has the victim relay that information on their own.
It’s important for people to be aware that phishing attacks aren’t always rudimentary, and this is a great example of how they are evolving and become harder to detect."
David Kennefick, product architect at edgescan explained that Steam accounts are increasingly valuable to attackers: "Micro-markets and in game microtransactions in gaming have introduced a monetary element for attackers, which opened up gaming platforms and its users to a wider set of attacks. Some skins and items can be worth hundreds or thousands of euros, so that makes them prime targets for attackers. If an attacker gets control of your credentials, it is game over for your Steam account. They will control all of your games and your in-game items. An attacker can just gift all of the items to themselves or a dummy account, and sell them off in the marketplace. It is difficult to trace and track it down in the Steam marketplace.
"Steam has a feature called Steam Guard which everybody should have enabled. It adds an additional level of security above your username and password. This can be enabled to register new devices and process transactions on your account. However, it will not help against malware on your machine stealing credentials or gifting items, and it will not be a full mitigation if the email address associated with your Steam ID is compromised."
The scam was detailed by Twitter user nullcookies, and appears to be just one example of many similar highly sophisticated phishing scams to be targeting Steam account holders.
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Picture-in-picture Steam phish using a bogus giveaway as bait. <br><br>giveavvay^.com <br><br>Of interest: webdev0^.com/base/js/faker_secrets.js <a href="https://t.co/tFJQgiLpmU">pic.twitter.com/tFJQgiLpmU</a></p>— nullcookies (@nullcookies) <a href="https://twitter.com/nullcookies/status/1200576466150477824?ref_src=twsrc%5Etfw">November 30, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>