14 DAY TRIAL // Password reuse and recent mega breaches are putting our daily Internet lives in danger, as a recent Steam spam campaign proves.
Since last week, Steam gamers have been warning each other, via Twitter and Reddit, about a new spam campaign that tries to lure them to a site to download malware on their computers, which in the end, allows crooks to take over their PCs.
Password reuse puts users at risk - again
This spam campaign begins with a hacker taking over a legitimate Steam account. This is possible today thanks to the large number of data breaches disclosed this year, many of which included cleartext passwords.
If Steam gamers haven't turned on two-factor authentication for their Steam accounts and reused the same password on multiple sites, attackers can gain control over their accounts, and then use this newly-found access to spam their friends with malicious links.
Since the messages come from a legitimate source, most users will click the link. In this recent spam campaign, the link leads to a website supposedly hosting a video of a recorded CS:GO gameplay, for which the user needs to install Flash Player. Of course, this is a classic trick to fool gullible users into downloading a malware-laced file.
Malware installs NetSupport on all infected hosts
According to Lawrence Abrams of Bleeping Computer, in this particular case, users downloaded an executable that ran a PowerShell script, which installed the NetSupport Manager Remote Control Software.
NetSupport is a legitimate software package, similar to TeamViewer, which lets users connect to remote computers. In this particular case, the NetSupport package came pre-configured to connect back to the crook's server.
The attacker only had to authenticate on the server and take control over his latest victim's PCs.
Abrams recommends that Steam gamers check their computers for the presence of the %AppData%lappclimtfldr folder. If they find it, they're probably infected.
Incidents related to Steam malware have been observed in the past. Security researcher Bart Blaze has witnessed this same tactic (spam-malware-NetSupport) used as far back as 2014.