A few months ago, we looked at how phishers had come up with a way to get around Steam Guard protection on Steam gaming accounts: asking users to dig out the relevant Steam Guard SSFN file from their folders, then have them upload it manually to a fake login page.

Armed with this file and the username / password, these scammers could bypass the protection and immediately make use of the plundered account.

Now it seems phishers have tried to automate the process a bit – and just in time for the Summer Steam sale too.

Here’s a phishing page which – as with similar attacks – pretends to be a Community profile jam-packed with items for trading. It begins with a message from an already compromised Steam account (thanks to Mohab Ali for sending this over):

Never click on these messages.

“Hey mate my friend wants to trade with you but he can’t add you (steam error) add him please [URL REMOVED]”

Here’s the fake profile loaded up with non-existent rare items from various titles:

Nice hat.

Seeing the multitude of bait, the victim will head on over to the fake login page:

Fake login

With the old scam, users would be presented with a fake Steam Guard box and be asked to navigate to their Steam folder, then upload the SSFN file manually to the phish page. Here, we see something different:

Fake Steam Guard download

The box reads as follows:

“Hello! We see you’re logging into Steam from a new browser or new computer.

As an added account security measure you’ll need to grant access to this browser by running the special tool (SteamGuard) we just sent to your computer.

To complete login you should click to open tool, then authentication is automatically completed.

We worry about your security and every time improve protection”

Running the file is, as you might have guessed, a bad idea. While it may claim to be Steam Guard, it most certainly isn’t and will compromise the security of your account.

It first contacts a .ru domain to get the “go ahead” and make a move on your PC. It locates the Steam folder, detects the SSFN file then uploads it to the phishing website in the above screenshots (now offline). Armed with the SSFN file and the stolen username and password, the phisher will have no trouble logging in as the victim.

Users of Malwarebytes Anti-Malware will find we detect this as Spyware.Steam, and here’s a link to the VirusTotal page.

Code time.

The .ru website is interesting, and appears to be offering up some form of Steam spamming tool – perhaps related to the Bots which send messages to victims from compromised accounts?

.ru domain

Whatever the full story, users of Steam should let their friends know that fake Steam Guard files are another addition to the “Don’t do this” list where Steam SSFN files are concerned.

Whether sending them manually or giving the scammers an assist in the form of rogue files doing it for you, the end result is still the same: one lost Steam account and a trip to the Support Desk.

Christopher Boyd (Thanks to Mohab Ali for the tip, and Joshua Cannell for file analysis)