UPDATE [9/24/2014 6:38AM]

The Steam user in question has reached out to us via Twitter to report that another scammer contacted him, using a similar tactic as before.  I have been told that the file this time was hosted on a Google Docs page and still pretending to be a screensaver. I was able to get hold of it for analysis. This is how it looks like on a user’s desktop:

Fake .scr file on desktop

Renaming the extension to .exe from .scr (because that is what it actually is) gives me the following details about the file:

File details of the fake .scr file when renamed to .exe

Once executed, the following tasks are performed:

  • Retrieves the current session ID of the Steam user
  • Gains access to the user’s inventory / backpack
  • Saves items onto an “offer list” for selling
  • Displays the image below in order to make the user believe that what they actually opened is indeed an image file and not an actual application

The image that distractsclick to enlarge

It’s highly likely that while the user is being distracted by the image, the offer list is already being marketed to someone else. From here, the scammer can easily transfer items from the user’s Inventory to the buyer or to their own inventories.

The fake .scr file is written in IL Assembly and compiled in Microsoft Visual C# v7.0 / Basic .NET.

Hash value for this file is 4429c5cae5beb8a91c58de4cae2c30cad71e363d (SHA1). Here‘s a list of VirusTotal detections for it.

ORIGINAL POST:

A recent scam on Steam gave me pause and thought of how different and flagrant scamming has turned out on the said gaming platform in just a couple of years at most.

Joe, a gamer in New York with the handle THE_THANG, shared with a group on Steam he administers a recounting of his encounter with a scammer not so long ago.

Post on a Steam groupPost on a Steam group
(click to enlarge)

// Begin transcription

“Important Phishing Information. Please Read!

I recently got added by someone named [unassigned] again. I knew from the start that it was a phishing bot, but I accepted it anyway. After accepting this person, I got this response as a result.”

Joe: Chat with bot

“Now you would think “Oh, it’s an image of something that he wants to trade with me.” But NOT SO FAST, it’s NOT what you think.

Upon clicking the URL reveals to be a link that downloads a screensaver file to your computer and is not considered malware….yet.”

Joe: Download from bot

“Now, we all know that you shouldn’t download and trust files from unknown sources, but this is a lot bigger than you think.

I tried to change the file to an image extension to see if I can look at it, but upon doing that results in a file that you quote-unquote ‘burn to a disc drive.'”

Joe: Burn prompt

“Not only that was weird, but placing the URL in a website that reveals URL’s leads me to a Google Documents file according to this:”

Joe: Long URL

“This is as far as I got with this situation, knowing that if I went any further my Steam account, let alone my computer would be in trouble. Anyway, spread the world; let people know about this because they might click and run the “install” on the file.

Do NOT attempt this on your own. Do not DOWNLOAD or RUN the file if you downloaded it. Delete it IMMEDIATELY! Stay away from people who add you for images. Keep your account safe. Verify Steam Guard, your email and make sure you have a strong password for both! Video below of my explanation (720 to 1080 is recommended):

VIDEO IS NOT PRIVATE. IT’S PUBLIC!
{YouTube clip redacted}

UPDATE #!: Malwarebytes’ has found it as a Fake Steam file.”

Joe: Malwarebytes detection

// End transcription

Note: I have included screenshots of images Joe took in place of the links for you to easily see what he’s referring to.

The claim of phishing may be inaccurate and I won’t personally recommend that users fiddle with the file (unless you know what you’re doing), but Joe was right to inform everyone about this experience.

Some may say it’s easy to spot this scam, which is all well and good for them, but others need cues. Some may not even think that there are threats on Steam.

For those already in the know, I can only applaud you and encourage you to remain aware of what’s happening in your Steam groups, gaming clans, and friends.

For those who need guidance, we have put together a short list of potential dangers Steam users may encounter while using the platform.

(1) Malware. This is the specific threat that Joe encountered. It came in the form of a set of links sent over via Steam’s chat feature from someone he doesn’t know, assuming that he was sent over links to images of items this “player” wants to trade him with. This someone, unfortunately, is named “[unassigned]”, a widely known indicator in the community that it’s a bot account. More about this later.

We normally see binaries related to Steam outside of the platform and are marketed as either downloads of the fake downloads of the Steam installer, fake Steam installer, keyloggers or self-proclaimed “crackers” in the past. The above is an example of malware pretending to be an image file. Some even use “Steam Guard” as the binary’s file name to make it more believable. However, with Joe’s experience and some comment spam I’ve seen before, we’d be more surprised if malware proponents are not on Steam.

(2) Fraud. This is probably the most common threat we’ve seen involving Steam. Social engineering plays a key role in pulling off a successful scam, as you have seen in Joe’s case, some of the noteworthy ones are quite sophisticated.

There’s are two types of fraud we have see at play so far, both involving either bots, impersonators, holders of hacked accounts, or gamers with malicious intent in general:

(2.1) Phishing. We know that for years, scammers have been out to get their hands on Steam login credentials. Some of the techniques they have employed may be a combination of social engineering and typosquatting, or just pure social engineering. An example of this occurred several months ago: phishers have taken advantage of users’ lack on knowledge of SSFN, a file Steam references to so that users won’t have to verify their machines each time they log in to the gaming platform, to trick them into handing it over with their credentials. Gamers on Reddit have rambled on this topic extensively.

One may not realize that a Steam account is as valuable—perhaps even more—than the games and inventory items it has. The number of phishing campaigns and stories of accounts getting hijacked can be proof of a lucrative black market for selling and buying credentials.

(2.2) Trading scams. Trading items with friends and other players in exchange for something of equal or greater value is the norm on Steam. What isn’t is that fact that some buyers had figured out a process to acquire unique and hard-to-find game items from their owners using only a certain amount of persuasion and the way Steam normally allows the exchange and/or gifting of goods. Goods or items can either be cards, image backgrounds, emoticons, games, keys, and in-game stuff like weapons, magical pieces of clothing, etc.

Trading scams are also be called “trading hacks” by others. There is a comprehensive list of scammer types that is shared and syndicated on Reddit, and it appears that majority of these types are still around today. Someone also identified a list of common excuses scammers may say to manipulate unwary traders. I suggest that you check them out, dear Reader, and digest their contents well.

(3) Bots. As mentioned above, bots have been instrumental in spreading malware. In some cases, they have been used to do some phishing campaigns, as well.

All bots on Steam aren’t bad. There are a lot of automated accounts created to do trading sessions in-between users. All traders had to do is send it a chat message bearing a format the bot is programmed to recognize. Current bots cannot function without having their own Steam accounts; therefore, they can be subjected to hacking. In the hands of criminals, hijacked bot accounts could endanger the community it caters to, siphon out thousands of tradable items from its inventory (and potentially users’), and damage the integrity of its original programmer.

(4) Sharks. Traders generally see sharking as a form of scam and frown upon it. Sharks are individuals who, basically, rip off other players. Sharking happens when Trader 1 knowingly misleads Trader2 by convincing him/her to sell/trade a rare or high-valued item to them at a lower cost, with Trader 2 agreeing. Of course, this works only if Trader 2 is inexperienced or is unaware of the rare item in his/her possession plus its estimated value in the market.

A solid answer to the question “What constitutes sharking?” is still a gray area for some due to factors affecting each case. In a nutshell: It depends.

If you’re interested in reading more about this, these SteamRep and Steam forum posts may be worth reading.

(5) Impersonators. I’ve personally seen accounts changing all their details—Steam avatar, name, country of location, and their “about me” info—two to three times in a span of 24 hours. Manned impersonator accounts are more dangerous than those run by bots, and they are generally challenging to spot unless someone stumbles into a look-alike and points this out to the community.

(6) Hacked accounts. Like impersonators, they’re difficult to spot. One also wouldn’t know if a friend in their Friends list has been infiltrated and used to either harvest more account details via spreading phishing links or promoting the download and installation of suspicious files to Steam contacts. Criminals clearly leverage on the trust established by account holders they’ve stolen from with their friends to make their malicious campaigns as effective and unsuspecting as possible, until it’s too late. A great deal of damage could be made on the original account holder if the hacking has not been immediately addressed.

It’s terrible to know a number of players on Steam who have given up on trading, trusting others players, or using the platform in general because of the above threats. Below are some security pointers we can provide in order to help users avoid these threats and/or respond accordingly if they have already fallen for criminal campaigns.

How to Watch Your Back so You Can Help Others Watch Theirs

  • Enable Steam Guard. Never disable it no matter what others say.
  • Use strong passwords with your Steam account. Never share it with anyone. Change it on a regular basis.
  • Make sure that the email tied to your Steam account has the two-factor authentication (2FA) feature enabled. Never share your password for it as well.
  • Familiarize yourself with terms related to Steam, such as SSFN, Steam Guard, and Steam Wallet, so that you know what they are, their purpose, and how they’re used.
  • Avoid clicking links sent over your way via Steam chat. If you can, take the time to verify them using free online tools at your disposal. Is the link shortened? Do what Joe did and use a site that reveals the true destination of the URL. Not familiar with the domain of the URL you received? Do a bit of research on it, or have a website scanner visit it first. VirusTotal and Sucuri Site Check are just some of the tools you can use for this.
  • In line with the point above, make sure to read correctly the Steam URL sent to you. The only acceptable ones should be store.steampowered.com and steamcommunity.com. This is very important, especially when you’re expected to log in to your account to do something with the page.
  • Resist the urge to add and accept every friend or group invite you receive. Having more Steam friends may be merrier, but being picky with who you befriend can also influence the amount of risk you may be exposing yourself to. From the number of posts I’ve seen online, it would seem that fraudsters, in general, tend to gravitate towards players who (1) frequently play popular multi-player games (TF2, CS, DOTA, etc.), (2) have a high Steam level, and (3) have hundreds of friends.
  • If you’re into trading, take the time to research about the items you have and their estimated value in the market.
  • Get to know and observe the players you add in your Friend’s list. Make your own rules on how you want other players to trade with you, and make this clear either in your profile or via Steam chat.

Mitigating Steps:

  • Go to Steam > Settings > Manage Steam Guard Account Security… and tick “Deauthorize all other computers now” to ensure that only your computer can access your account.
  • Change your Steam password in the event of an account hack.
  • Inform your friends about the hacking that happened to your account.
  • Submit a ticket to Steam Support to retell why and how you were scammed. Be honest and thorough if you can. There is no guarantee that they can help you with your case, however.

Valve, the company behind Steam, has yet to address majority of the threats on its gaming platform. While we wait, the community can only look after themselves and each other, helping as much as they can to keep everyone safe and the platform as threat-free as possible.

Jovi Umawing