Phishy Steam Guard File Steals SSFN

Posted June 25, 2014 by Christopher Boyd

A few months ago, we looked at how phishers had come up with a way to get around Steam Guard protection on Steam gaming accounts: asking users to dig out the relevant Steam Guard SSFN file from their folders, then have them upload it manually to a fake login page.

Armed with this file and the username / password, these scammers could bypass the protection and immediately make use of the plundered account.

Now it seems phishers have tried to automate the process a bit – and just in time for the Summer Steam sale too.

Here’s a phishing page which – as with similar attacks – pretends to be a Community profile jam-packed with items for trading. It begins with a message from an already compromised Steam account (thanks to Mohab Ali for sending this over):

“Hey mate my friend wants to trade with you but he can’t add you (steam error) add him please [URL REMOVED]”

Here’s the fake profile loaded up with non-existent rare items from various titles:

Seeing the multitude of bait, the victim will head on over to the fake login page:

With the old scam, users would be presented with a fake Steam Guard box and be asked to navigate to their Steam folder, then upload the SSFN file manually to the phish page. Here, we see something different:

The box reads as follows:

“Hello! We see you’re logging into Steam from a new browser or new computer.

As an added account security measure you’ll need to grant access to this browser by running the special tool (SteamGuard) we just sent to your computer.

To complete login you should click to open tool, then authentication is automatically completed.

We worry about your security and every time improve protection”

Running the file is, as you might have guessed, a bad idea. While it may claim to be Steam Guard, it most certainly isn’t and will compromise the security of your account.

It first contacts a .ru domain to get the “go ahead” and make a move on your PC. It locates the Steam folder, detects the SSFN file then uploads it to the phishing website in the above screenshots (now offline). Armed with the SSFN file and the stolen username and password, the phisher will have no trouble logging in as the victim.

Users of Malwarebytes Anti-Malware will find we detect this as Spyware.Steam, and here’s a link to the VirusTotal page.

The .ru website is interesting, and appears to be offering up some form of Steam spamming tool – perhaps related to the Bots which send messages to victims from compromised accounts?

Whatever the full story, users of Steam should let their friends know that fake Steam Guard files are another addition to the “Don’t do this” list where Steam SSFN files are concerned.

Whether sending them manually or giving the scammers an assist in the form of rogue files doing it for you, the end result is still the same: one lost Steam account and a trip to the Support Desk.

Christopher Boyd (Thanks to Mohab Ali for the tip, and Joshua Cannell for file analysis)

COMMENTS

Pingback: Steam phishing scheme steps up account jacking attempts with automation()
https://www.facebook.com/Ps.Craig.Scott Craig Scott

****. I only just started using Steam when I purchased Civilization V.
Now I’m not too sure if I should play it at all.
Koushik Karmakar

nice article !! thank you !! 🙂
Pingback: Tech Thoughts Daily Net News – June 26, 2014 | Bill Mullins' Weblog - Tech Thoughts()
Pingback: Beware The New ‘Steam Guard’ Phishing Scam | 1337MMO()
Joshua Cannell

Craig Scott, there’s no reason to be afraid of Steam or playing games on Steam. Simply be aware of these fake sites and programs that attempt to steal your login credentials.
Pingback: Updated Steam phishing scam automates SSFN upload - Regiment of the Grenadier Guards()
Pingback: Updated Steam phishing scam automates SSFN upload | Why are we here?()
Pingback: Updated Steam phishing scam automates SSFN upload - Snap VRS Blog Directory()
Pingback: Steam SSFN Account Phishing, Be Careful! | KGC Empire()
Pingback: Steam Phishing gets automated | Lazygamer .:: The Worlds Best Video Game News ::.()
Pingback: Updated Steam phishing scam automates SSFN upload()
Pingback: Steam users getting hacked! | The PC Architects | Blog()
Pingback: A Week in Security (Jun 22 – 28) | Malwarebytes Unpacked()
Pingback: LtD Clan | Updated Steam phishing scam automates SSFN upload - LtD Clan()
Pingback: Steam Phishing gets automated | Gaming News Site()
Pingback: Steam Account Phishers Caught Squatting | Malwarebytes Unpacked()
Daniel G

this just happened to me but thankfully I didint download the “steam guard”
thanks for educating me and making me feel better about what just happened
Christopher Boyd

Hi Daniel, no worries – glad we could help!
Christopher Boyd

Testing (to be deleted)
jarvyvv

Unfortunately, I fell for this, and was wondering if u can recover ur steam account, and if I used malwarebytes, if im safe from being hacked again, thanks!
T. Eriksson

I ran this file and discovered the erroneous address too late. Then read this article, I changed my password, deleted the ssfn file, logged in, activated steam guard with my email, and then in steam settings “deauthorized all other computers.” Is that enough to make me safe from this?
Wallcer

i tryed to download the file but an error popped up saying cannot find the file or insufficient permissions. did i get saved from this or did they still get my stuff
Jack

Unfortunately my friend fell into this trap and lost an In-game knife from CS:GO worth about £80. Of course steam support did nothing to help except for get his account back, but he will never see the items he lost again.
Pingback: Steam Threats: What They Are and What You Can Do to Protect Your Account | Malwarebytes Unpacked()
http://www.wawo.site90.com WaWo

I’ve used Steam for 3 years and have never had any problem.

Just be careful and you’ll be okay 🙂
Pingback: 2014 and Beyond Online Threat Report | Malwarebytes Unpacked()
Anthony

“Users of Malwarebytes Anti-Malware will find we detect this as Spyware.Steam, and here’s a link to the VirusTotal page.” Oh really? If you click that link, you’ll find that MBAM marked it as safe.
Mateusz

I just fell into the bait but my brother came just couple mins ago and told me to lock my account and scan it
Sean Cassidy

but what they usually do is trade the item through several ‘holding’ accounts so the item can no longer be found.
Sean Cassidy

there are no issues with steam the only way these hackers can get to you is through a fake login page where they can get your username and password.
voziak

type that russian sentence just below the url bar in that pic on google and you’ll find the site
Anikets

Someone added me and sent me the url, but it didn’t send me to a log in site… it just showed an error. I guess they already fixed it or prevented hackers like them :D?
Pingback: Steam Scams To Watch Out For and How to Stay Safe | I World New()
Pingback: Steam Scams To Watch Out For and How to Stay Safe | Trend Inside()
Pingback: A New Batch of Voice Comms Stealers… | Malwarebytes Unpacked()
Pingback: Steam IM Spam Leads to Fake Imgur Site, Malware | Malwarebytes Unpacked()
Jackal

It’s his fault he lost it. Not steams.
Pingback: Steam Community Compromise? Redirects session to other users | hackandflash!()

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 4 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 4 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING No Comments

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 2 Comments

ABOUT THE AUTHOR

Christopher Boyd
Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

CATEGORIES

101 Cybercrime Malwarebytes news Security world Threat analysis

TOP POSTS