We recently flagged a misspelled URL of a domain claiming to be the real CS:GO Lounge, a highly popular site where Steam users can trade in or bid on items specifically for Counter-Strike: Global Offensive (CS:GO) and place bets on group stage matches. Below is the URL in question:

csgoloungcs[dot]com

Just like any other phishing campaign, the fake page appears much like the real one, with noticeable differences that I’d pointed out below:

  • The real CS:GO Lounge (csgolounge.com) page has an ad at the right side of the screen just below its social network links.
  • The real Lounge only has file (5) menu options at the right-hand site, specifically ForumRedditUser’s guideRules, and Contact. The fake Lounge has an extra option, which is Bot status.
  • The real Lounge has a Search feature at the top of the page.

Side-by-side comparison of phishing page and legitimate page
click to enlarge

CS:Go Lounge requires users to log in via Steam in order to avail of its services. Clicking the green Sign in through Steam button at the upper right section of the page directs users to the verified and encrypted Steam Community page wherein users can safely enter their credentials.

The fake CS:GO Lounge page, however, directs to another page within its domain that appears to look like the Steam Community page, as you can see below:

Fake Steam Community pageclick to enlarge

This page accepts and saves any string entries, even null values should one decide not to provide their credentials. After clicking the Sign in button, the following overlay appears and a file is downloaded onto the user’s system:

The "Almost Done" Overlayclick to enlarge

By viewing the page’s source code, we found out that the overlay contains an iframe code that points to a Google Drive location where the said executable is being hosted:

Google Drive location of the executableclick to enlarge

The file’s properties didn’t say much about what it is, too.

steam-activation-file

Malwarebytes Anti-Malware (MBAM) detects Steam Activation.exe as Trojan.Agent.

Previous phishing attempts using CS:GO Lounge as bait has been reported or documented by users before. Below are other misspelled URLs that were used by phishers:

  • csgolonge[dot]com
  • csqolunge[dot]com
  • csgoIounge[dot]com (that is a capital “i”, not a small “L”)
  • csgo-loungs[dot]com
  • csgolaunge[dot]com

Steam users who are into betting and item trading are advised to visit and bookmark the legitimate CS:GO Lounge site, csgolounge.com. It also pays to remember how the URL is spelled.

We believe that the less likely one is keen on spelling, the higher the probability that one would actually fall for scam sites.

Lastly, avoid clicking links from chat messages offering trades or wanting to add them as contact but couldn’t because of “an error”.

Ask for the interested party’s handle in the Lounge instead so you, the user, can search for him/her and check out their offers yourself. This way may not be as straight-forward and convenient as simply clicking a link, but it’s a lot safer.

Jovi Umawing