14 DAY TRIAL // The accounts of Steam users can be highly valuable for cybercriminals, which is why they’re always coming up with novel phishing techniques. To protect their accounts, Steam users can enable Steam Guard, but now, phishers have found a way to bypass it.
When Steam Guard is enabled, users receive a verification code via email when they log in to their accounts from a computer they haven’t used before. This normally means that even if they have the username and password, unless they also have access to the victim’s email account, the attackers can’t get in.
However, according to Malwarebytes researchers, they’ve managed to bypass this protection mechanism by adding something new to their phishing pages.
When gamers are lured to the phishing page, they’re asked to enter their credentials. Then, a second page appears with the following message:
“We see you’re logging in to Steam from a new browser or a new computer. Or maybe it’s just been a while… As an added account security measure, you’ll need to grant access to this browser by uploading the special ssfn* file from your Steam folder…Ssfn* file contains your ID number and located in a directory Steam folder (…/Program Files/Steam/ssfn* )”
So how do they bypass the protection? The key is the SSFN file. When users log in to their account from an unrecognized device, Steam Guard creates the SSFN file so that they don’t have to enter a verification code the next time they log in.
By copying the SSFN file that’s been handed over to them by the unsuspecting victim into their own Steam folder, phishers bypass Steam Guard. When they log in, they’re not asked for the verification code.
This phishing method has been around for a month or so, with many users complaining about their account being stolen this way.
Steam is aware of the issue and the company has updated its Steam Guard support page to warn users about these attacks.
“Steam will never ask you to provide any Steam Guard files. If you upload or give a user your Steam Guard .SSFN file, they can gain access to your account without accessing your email account. However, they must know your Steam account password and username to use this file,” the advisory reads.
As Malwarebytes experts highlight, these days, user should beware not only of schemes in which they’re asked to download files, but also ones in which they’re instructed to upload something from their computer.