Contributors: Ionel Pomana, Kevin Judge
Video games have played an important role in the history of computers and are a significant reason for their popularity as a consumer product. Families had video game players in their homes long before they had personal computers. The ability to provide web sites that more closely replicate the experience of standalone software has improved dramatically in recent years, so it is no surprise that online gaming web sites have also boomed.
According to ebizmba.com, the top gaming web site is ign.com with an astounding 20 million monthly visitors. In fact, all the sites on their top 15 list exceed 1.5 million visitors per month. It is also no surprise that criminal hackers are attempting to exploit their popularity for nefarious schemes.
Major targets of such schemes are games that are delivered through Steam, a popular game delivery platform. These games can be played offline or online, with or against other human players. Unfortunately, online players may also have the company of “players” that they are not aware of: criminal phishers and malware writers.
Some games have so-called “in-game items” which players use to improve the gaming experience. These items are purchased during the game with real money and their price can vary from a few cents to several hundred dollars. Players use them in the game, exchange them for other items or sell them to other players in a “Community Market”.
This means a gamers account can be a rich prize if compromised by fraudsters.
Malware that attempts to compromise gaming accounts are not something new, but Comodo Antivirus Labs has identified a new approach that criminals are using to hijack the accounts of Steam delivered games. This article and the following information are provided to make gamers aware of such threats and hopefully avoid them.
The Phishing Message
It all starts with a message received from an unknown individual via the game’s messaging system. The user is asked, for various reasons, to follow a hyperlink.
The primary goal of the hacker is to obtain the player’s online gaming credentials.
The hyperlink takes the user to a site that resembles a legitimate website, but in fact is a phishing page designed by the hackers. In our case, the linked domain name is very similar to a legitimate third party site for trading game items, but with just two letters changed in domain name.
The user can easily mistake it for the well known legitimate site.
The Phishing Sites
Once the link is opened, it displays a copy of the legitimate trading site with a very attractive and profitable trade offer. Refer to the screen print below:
On the legitimate trade website, a trade offer can be responded to by signing in with your game account using the OpenID protocol. When a user wants to sign in, he’s redirected to the game’s vendor website, where he logs in and confirms that he wants to login on the third-party website as well.
He is then redirected back to trading website where he is now logged in and can initiate or respond to any trade he wants. However, on the phishing website the situation is a bit different.
Once the gamer hits the sign in button, he’s not redirected to game vendor’s website, but to a page very similar to the vendor’s one on the same domain, where the user is asked to enter his account credentials.
A clue that this is not a legitimate site is that SSL is not enable. Any time you are at a web site that asks you to enter personal information, don’t do it unless you have confirmed that the address line says “https” instead of just “http” and that a lock icon displays. Every legitimate online business enables SSL because it protects its users with secured communication.
In this case, when the user and password data are submitted, no login action is performed. Instead the submitted credentials are sent to the criminals who crafted the phishing website.
Phase II of the Scam
Many similar phishing scams, such as for bank users, would stop here with the theft of the user login credentials. Unfortunately, this scam goes the extra mile.
After credentials are submitted and stolen, a pop-up informs the user that a “game guard” needs to be enabled on the computer system in order to be able to login. The real “Steam Guard” is a set of security measures (including two-factor authentication) put in place by the game vendor to prevent account takeovers and credentials theft.
In this case the criminals are luring the user into running a malicious application, named “Steam Activation Application.exe”. The phishing website will download it as soon as the pop-up is displayed.
As seen below, the malicious application is not hosted on the respective domain, but on Google Drive.
When it is run, the application reads from registry key the path where Steam client is located.
After reading the location, it starts searching for all files whose name begins with the string “ssfn”.
When a file that starts with “ssfn” is found, the content is read and the binary data is converted into memory in a plain text hexadecimal representation.
This is done to allow the trojan application to steal the file by sending it via a POST method to the web server located at 18.104.22.168.
If the send was successful, the application displays a message stating “You now have access to your Steam account from this computer!”, otherwise it displays a message that an error has occurred:
An error occurred while activating account (disk read error)
After displaying a success or error message, the trojan executes cmd.exe with “del” parameter to delete itself. This way it’s trying to remove its traces from the system so the user does not suspect any questionable activity.
What’s the purpose of stealing “ssfn*” files?
These files contain Steam account data and two-factor authentication data. When the file is put into Steam’s folder on another system, two-factor authentication token will not be required anymore, any individual using the respective file will have access to the account from file with full access.
In this way, the games can be accessed and played, the in-game items (some which can be very expensive) stolen or traded for casj, transaction history viewed or even the account login details and email address can be changed so the initial owner won’t be able to use the account anymore or even recover it.
How to prevent such account takeovers
The following advice applies to this scam, but also most variations of phishing scams:
- Vigilance is the best defense:
Do not click on any links received from strangers or even suspicious links from friends who might be victims of hijackers. Make sure any login process you perform is made on SSL-enabled websites via https protocol, websites which proves their identity in this manner. Double-check domain names for any suspicious mismatch.
- Use a secure DNS service:
Any system should be using a secure DNS service such as Comodo Secure DNS that will warn you in case of phishing attempts.
- Use a robust security suite with a Firewall and advanced malware protection:
Make sure you have installed Comodo Internet Security in order to be protected from malware that might reach your system.