Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Contributors: Ionel Pomana, Kevin Judge Video games have played an important role in the history of computers and are a significant reason for their popularity as a consumer product. Families had video game players in their homes long before they had personal computers. The ability to provide web sites that more closely replicate the experience of standalone software has improved dramatically in recent years, so it is no surprise that online gaming web sites have also boomed.
According to ebizmba.com, the top gaming web site is ign.com with an astounding 20 million monthly visitors. In fact, all the sites on their top 15 list exceed 1.5 million visitors per month. It is also no surprise that criminal hackers are attempting to exploit their popularity for nefarious schemes.
Major targets of such schemes are games that are delivered through Steam, a popular game delivery platform. These games can be played offline or online, with or against other human players. Unfortunately, online players may also have the company of “players” that they are not aware of: criminal phishers and malware writers.
Some games have so-called “in-game items” which players use to improve the gaming experience. These items are purchased during the game with real money and their price can vary from a few cents to several hundred dollars. Players use them in the game, exchange them for other items or sell them to other players in a “Community Market”.
This means a gamers account can be a rich prize if compromised by fraudsters.
Malware that attempts to compromise gaming accounts are not something new, but Comodo Antivirus Labs has identified a new approach that criminals are using to hijack the accounts of Steam delivered games. This article and the following information are provided to make gamers aware of such threats and hopefully avoid them.
It all starts with a message received from an unknown individual via the game’s messaging system. The user is asked, for various reasons, to follow a hyperlink.
The primary goal of the hacker is to obtain the player’s online gaming credentials.
The hyperlink takes the user to a site that resembles a legitimate website, but in fact is a phishing page designed by the hackers. In our case, the linked domain name is very similar to a legitimate third party site for trading game items, but with just two letters changed in domain name.
The user can easily mistake it for the well known legitimate site.
Once the link is opened, it displays a copy of the legitimate trading site with a very attractive and profitable trade offer. Refer to the screen print below:
On the legitimate trade website, a trade offer can be responded to by signing in with your game account using the OpenID protocol. When a user wants to sign in, he’s redirected to the game’s vendor website, where he logs in and confirms that he wants to login on the third-party website as well.
He is then redirected back to trading website where he is now logged in and can initiate or respond to any trade he wants. However, on the phishing website the situation is a bit different.
Once the gamer hits the sign in button, he’s not redirected to game vendor’s website, but to a page very similar to the vendor’s one on the same domain, where the user is asked to enter his account credentials.
A clue that this is not a legitimate site is that SSL is not enable. Any time you are at a web site that asks you to enter personal information, don’t do it unless you have confirmed that the address line says “https” instead of just “http” and that a lock icon displays. Every legitimate online business enables SSL because it protects its users with secured communication.
In this case, when the user and password data are submitted, no login action is performed. Instead the submitted credentials are sent to the criminals who crafted the phishing website.
Many similar phishing scams, such as for bank users, would stop here with the theft of the user login credentials. Unfortunately, this scam goes the extra mile.
After credentials are submitted and stolen, a pop-up informs the user that a “game guard” needs to be enabled on the computer system in order to be able to login. The real “Steam Guard” is a set of security measures (including two-factor authentication) put in place by the game vendor to prevent account takeovers and credentials theft.
In this case the criminals are luring the user into running a malicious application, named “Steam Activation Application.exe”. The phishing website will download it as soon as the pop-up is displayed.
As seen below, the malicious application is not hosted on the respective domain, but on Google Drive.
When it is run, the application reads from registry key the path where Steam client is located.HKEY_LOCAL_MACHINE\Software\Valve\Steam\InstallPath
After reading the location, it starts searching for all files whose name begins with the string “ssfn”.
When a file that starts with “ssfn” is found, the content is read and the binary data is converted into memory in a plain text hexadecimal representation.
This is done to allow the trojan application to steal the file by sending it via a POST method to the web server located at 82.146.53.11.
If the send was successful, the application displays a message stating “You now have access to your Steam account from this computer!”, otherwise it displays a message that an error has occurred:An error occurred while activating account (disk read error)
After displaying a success or error message, the trojan executes cmd.exe with “del” parameter to delete itself. This way it’s trying to remove its traces from the system so the user does not suspect any questionable activity.
What’s the purpose of stealing “ssfn*” files?These files contain Steam account data and two-factor authentication data. When the file is put into Steam’s folder on another system, two-factor authentication token will not be required anymore, any individual using the respective file will have access to the account from file with full access.
In this way, the games can be accessed and played, the in-game items (some which can be very expensive) stolen or traded for casj, transaction history viewed or even the account login details and email address can be changed so the initial owner won’t be able to use the account anymore or even recover it.
The following advice applies to this scam, but also most variations of phishing scams:
SHA1: 339802931b39b382d5ed86a8507edca1730d03b6MD5: b205e685886deed9f7e987e1a7af4ab9Detection: TrojWare.Win32.Magania.STM
Related Resource:
Tags: firewall,Phishing Message,Phishing Sites,phishing website,secure DNS
Reading Time: 6 minutes If your website host or browser has blocked your Joomla! website – it means that your website could contain malware. You must utilize a Joomla which is known as “remove a malware tool” to scan your website and get rid of the malware. Hosts will suspend accounts/websites containing malware. Browsers will block websites—including Joomla! websites—…
Reading Time: 6 minutes The immense wave of phishing attacks hit the users of major banks in Turkey. Poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover malware attached, the phishing waves spread from many…
Reading Time: 6 minutes Internet security is a branch of computer security which comprises various security measures exercised for ensuring the security of transactions done online. In the process, the internet security prevents attacks targeted at browsers, network, operating systems, and other applications. Today, businesses and governments are more concerned about safeguarding from Cyber attacks and malware programs that…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP