14 DAY TRIAL // The Steam gaming community is a constant target for phishing, and new attacks are perpetrated through the chat client, giving the fraudsters the possibility to focus on accounts with valuable items.
Active gamers with trusted accounts are in the cross-hair because these allow trading of the items immediately. According to Steam Trading support page, “any account that has made any valid purchase from the Steam Store more than 30 days ago is considered trusted.”
Paul Mutton of Netcraft says that the victims are contacted on the chat and offered to access a link to a profile with virtual items that can be exchanged. The profile is actually fake, but it looks like a legitimate one.
To reduce the risk of detecting the deceit by looking at the profile URL, the fraudsters appeal to typosquatting, a method that relies on using an address similar to the original but with a letter changed in the domain name, making the fraud more difficult to recognize at first glance.
Trading virtual Steam items can be done with friends, so the victim has to add the fake profile to the list of friends. This is when the victim is asked for their Steam login credentials, which are automatically sent to the crook.
However, the security measures imposed by Steam require two-factor authentication (2FA), a feature that is automatically enabled for users with verified email addresses.
One way to bypass 2FA is to use a “ssfn” file that acts as an authentication key and is available in the Steam folder. Simply asking the user to upload it would raise suspicions, so the attacker resorts to another deceit that consists in downloading an executable named SteamGuard.exe.
In fact, this is a piece of malware designed to search for the “ssfn” file and send it to the fraudster by uploading it to a hardcoded address.
The pop-up serving the malware also looks as if created by the Steam developers and covers the trickery by informing the user that it is an added security measure required to grant access to the account.
Login credential in hand and the two-factor authentication bypassed, the fraudster has free access to the victim’s account and the coveted virtual items.
Albrecht Neumann, a mathematics student in Germany, told Netcraft that keys and earbuds are relatively stable currency on the Steam market, and some gamers accumulate this sort of goods, increasing the value of their accounts to thousands of dollars.