Pierluigi Paganini March 16, 2016

Security expert published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.

It is emergency, malware targeting the Steam accounts are increasing as never before over the last months. The popular gaming platform is a privileged target for cyber criminals, Steam is owned by Valve and account for nearly 140 million users. The company estimates that nearly 77,000 accounts are hijacked and pillaged each month.

“We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.” states the company in a blog post.

The security expert at Kaspersky Lab, Santiago Pontiroli, and Bart P, an independent security researcher, published an interesting analysis of malware targeting the Steam gaming platform and evolution of threats through the last few years.

In the recent months, the researchers observed a spike in the infections caused by a data stealer specifically designed to target the accounts on the gaming platform, dubbed Steam Stealer.

Steam Stealer first appeared on a forum in the Russian underground, it is advertised as a customizable threat that is offered for sale with upgrades and manuals.

“Adding new features is simple. The average developer just needs to select their favorite programming language and know just enough about Steam’s client design and protocol. There are many APIs and libraries available that interface seamlessly with the Steam platform, significantly reducing the effort required.” states the analysis.

The crooks use to spread the Steam stealer malware via bogus websites or sending direct messages to victims.

Steam stealer is very cheap, the cost of a build ranges from $3 and goes up to $30 USD, some sellers offer it as a malware-as-a-service tools.

“However, when it comes to these types of malicious campaigns we usually see prices starting in the range of $500 dollars (taking as a reference earlier ransomware-as-a-service markets).” explained Pontiroli and Bart P.

The researchers noticed a significant difference in the way criminals dropped the malware over the time. In the past they served the malware on users via URL shortening services, cloud storage services like Dropbox and Google Docs, and phony game servers and fake voice software sites. Recently attackers started using fake Chrome extensions and gambling sites.

A short rundown of past trends:

• Use of obfuscators to make analysis and detection harder.
• Use of file extensions hidden by default by Windows (fake ‘screensaver’ files).
• Use of NetSupport added (providing remote access to the attacker).
• Use of fake TeamSpeak servers.
• Use of automatic Captcha bypass (DeathByCaptcha and others).
• Use of fake game servers (Counter-Strike: Global Offensive most notably).
• Use of Pastebin to fetch the actual Steam Stealer.
• Use of fake screenshot sites impersonating Imgur, LightShot or SavePic.
• Use of fake voice software impersonating TeamSpeak, RazerComms and others.
• Use of URL shortening services like bit.ly.
• Use of Dropbox, Google Docs, Copy.com and others to host the malware.

Current trends are as follows:

• Use of fake Chrome extensions or JavaScript, scamming via gambling websites.
• Use of fake gambling sites, including fake deposit bots.
• Use of AutoIT wrappers to make analysis and detection harder.
• Use of RATs (Remote Access Trojans) such as NanoCore or DarkComet.

The experts explained that there are counter-measure that the Valve’s Steam has implemented to prevent attacks on its accounts including:

• Two-factor authentication either by email or mobile application.
• Blocking URL’s throughout Steam.
• Nickname censorship (Steam/Valve).
• Captcha on trades (briefly), and then bypassed.
• Limited accounts introduced.
• Steam e-mail confirmations for utilizing the market and trading items.
• Verifying e-mail address.
• $5 USD purchase to combat ‘free abuse’ accounts (expanded on limited accounts).
• Information about who you are trading with (record).
• Market will become blocked when logging in from new devices, changing your profile password etc.
• Steam mobile trade confirmations.
• Steam account recovery via phone number.
• Restrict chat from users who do not share a friends, game server, or multi-user chat relationship with you.
• More restrictive block referral of spam and scam sites.
• Trade hold duration (15 days).

The experts explained that Steam implemented the above measured as a deterrent.

“We have listed all the options Steam offers users to protect their accounts. Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target. Follow these simple recommendations and you will avoid becoming the low hanging fruit.”

No doubt, the number of attacks against the platform will continue to increase despite the effort spent by the company.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Steam, Steam Stealer)