Upticks in Account Phising and You. Pt 1

4g0tt3nSou1

All you had to do was follow the D*** Train, CJ
=(eGO)=
So recently, I've been noticing and monitoring a rather unsettling amount of phishing attacks on steam. Phishing is something that's often not really talked about, and it's wrongfully dismissed. The effects of Phishing are way crazier if you look at the bigger picture.

But first, what is Phishing?
1625959747144.png

Essentially, Using mock or lookalike apps to steal data such as credentials or financial info.

Why does this matter to you?
Well, in the case of steam, they also like to do a little bit of impersonation. These attacks have multiple victims; You, and anyone who has associated with you. These attacks typically farm credentials to act as you, and attack people in friends lists or people you have messaged in order to try and victimize them as well.. They act like people you may know or your friends and try and trick you into falling for these attacks because it looks like it has been sent from a trusted source. You wouldn't expect your friends to send you something malicious, and they try to exploit that.

This exploits the people around you, along with stealing your credentials(And if you are like the average user, you use the same password in more than one place, now they have those if you aren't careful), and possibly other data like bank info. The impacts of Phishing unlike other methods cause this spreading chain reaction that impacts not just yourself but people around you, and people around them, so on so forth.

What are some examples of phishing in steam?
Lately, I have seen two prevalent attacks. One exploiting via a fake CS:GO Match/Team/Tourny; the other stating that they falsely reported you for scamming.

All of these attacks are carried out by another human. I have yet to see these automated, and it's likely they won't be for some time, as this requires more social engineering than a bot can achieve. Let's talk about the first one.

The premise of this first attack is to get you to log into a dummy form that LOOKS like a real steam form, but instead just harvests the credentials into a database. This attack entirely centers around you logging into something in order to do something seemingly harmless. Sometimes these forms have things that are "red flags" that this isn't a legitimate site, but as the old wisdom goes, don't log into sites you don't trust.
Now, what's interesting about these attacks, is that they CAN BYPASS Steam Guard, as they are stealing cached credentials that already have passed a 2VFA screen. Obviously, this means that now this attack has a lot more fangs, Bypassing 2FA isn't something to shrug at. They can log in at any time until the credentials are changed.

Now, this attack has one major flaw. We as gamers are connected to our friends over multiple platforms typically. My surefire way to test for a red flag is this; Anyone who is on steam I talk to has my discord, and typically they'd message me there before messaging me on steam. If you know the sender, ask them to message you on that other platform. This stops 95% of these attacks, as they don't actually have access to that other platform. This acts as a sort of verification that who you are talking to is actually someone you know. JUST TODAY, I SHIT YOU NOT, my best friend's alt was hacked and they tried this kind of attack. As soon as they asked if I had a min I knew it wasn't my friend, as they would've contacted me on discord way before they would've on steam. I instantly messaged my buddy, and sure enough; wasn't them.

Doing this verification defeated this attack instantly. VERY RARELY from what I've seen will these attackers have access already to multiple accounts, so use that to an advantage.

Ok, that is one type. Now the second one.
The second attack I have seen a lot of is this setup where you will get added or messaged by someone you don't know, asking you if an account they link is your account, this is typically your account. They will claim that they falsely reported you or you have scammed them, and they reported you.
They will then show some sort of falsified evidence that they messaged a "Steam Mod".
They will then ask you to message who they spoke to, in order to settle the dispute. Sometimes, they will ask you to message this "Steam mod" off-platform.
SOMETIMES, they will even build clone accounts that LOOK like your profile. They grab profile pics,. names, descriptions, and even will set vanity URLs, to make the account look as close to yours as they can. They typically will set the profile to private, so as to hide indicators that give it away this isn't you, such as friends, game counts, playtime, etc.

Now, Steam WILL NEVER ask you to message THEM, they will message you via email, not through Steam Messages or other platforms. Valve also implements a more "Ban first, Ask later" mentality. If this was legit, they'd suspend you first, then talk to you. These "Steam Mods" Are not actual Valve Staff, and NEVER share your details with them.
The red flags here are quite large. The people messaging you are people you've never interacted with. They ask you to message them, which steam would never do, and if they deploy these dummy accounts, if you look at them closely they are very clearly fake that just scrape info.

Luckily, unless you follow their instructions, There aren't any hacked accounts involved, All that needs to be done is report and block.

This is some great info, what are some steps I can do to counteract these attacks?
These attacks RELY on exploiting a person and RELY on that person doing something to give them access to the data they want. If you don't click their links, they can't run any sort of scripts in the browser, capture IPs, or steal any data. In RARE CASES, simply clicking a link CAN allow them to run scripts in your browser that can be malicious. These setups are way more sophisticated and dangerous. Most browsers have active protection systems to prevent these kinds of attacks, but it is possible. In less sophisticated attacks, they don't have anything useful until you give it to them, such as logins, or sensitive info.

I know we heard it all the time; "Don't use the same password everywhere", "Don't click links from people", "Don't log into sites you don't recognize", "Don't download stuff from people". But that is the basis of these attacks. They NEED you to do those things in order for this to work. They NEED you to victimize yourself by these practices in order to do anything useful.

So, your usual best practices, Adding 2FA to as much as possible, change passwords every now and again, and take caution even if it appears that they are people you know, love, and trust.

I had asked this, or something to its effect to be posted by leadership a month or so back, and since I haven't seen it, I'm making this post today.

I CANNOT STRESS HOW IMPORTANT IT IS THAT EVERYONE, INCLUDING YOU, TAKES PROACTIVE MEASURES!
I KNOW this sounds like something that doesn't work or something that you can't fall for.
MY BEST FRIEND TODAY, again had an alt compromised to this. He's not someone who slouches on OpSec.
This can happen to ANYBODY, including you.

If you are leadership and you read this, I HIGHLY SUGGEST someone pins this somewhere visible.,
If you are Admin, I am posting a Pt. 2 to this on the forums where you'd expect. Read this too, LE, I strongly urge you to look at both and discuss this internally with your teams
 

nolyn

Rookie
to add on & give my take;
  • save passwords with browsers, if you happen to click a link and it doesn't autofill then gtfo
  • don't join random lobbies, they can gain IP
  • don't add randoms or anyone who isn't at least steam level 5, level 5 takes like nothing to get & almost all users are higher then this
  • use google/apple/whatever autofill for new passwords, this will never be cracked unless data breach
  • using opera will come with a built in shitty vpn specifically for browsing sketchy websites & allows you to control a lot of the browser, USE THIS TO YOUR ADVANTAGE
  • if any user try's to contact you about steam/discord/whatever & saying they're an "admin/mod/ ANYTHING ridiculous or out of ordinary", ignore. the only way these companies contact are you through email & you'll most likely receive a link directly back to the website to respond.
  • discord is flooded with bots and they take minutes to make, highly recommended to go to privacy & safety -> safe direct messaging and have it on "My friends are nice", disable direct messages from server members & under rich presence disable "Allow friends to join your game".
  • if you have spotify linked to discord, once again settings -> connections and disable "Display on profile", if you leave this on you can EASILY be doxed.
 

4g0tt3nSou1

All you had to do was follow the D*** Train, CJ
=(eGO)=
These are really good tips. I personally use a password manager and a VPN on a regular. None of my passwords are the same as they are randomgen. I am more than willing to share ticks and tools I use if you want them.
 
Last edited:

Dark Fry

Active Member
=(eG)=
Thank you for this @4g0tt3nSou1

Someone tried the first attack you mentioned on me recently through a friends account who got compromised, a member of this community in fact. He lost his entire inventory on steam to the attack apparently, and the attacker did a sweep of his friends list to try to get them linked to the dummy site you mentioned. Luckily as soon as I saw the site I knew it was fishy, and steered myself away from it.

Account security is commonly neglected and people think that they can never be victimized. I respect that you raise awareness to this. I have fallen victim before to scams on a separate game and it could have easily been prevented if I had practiced the steps you suggest in this post. Cyber security is definitely important and remember that not just you, but friends can also be affected.
 
Last edited:

4g0tt3nSou1

All you had to do was follow the D*** Train, CJ
=(eGO)=
I've had over 30+ messages by hacked friends saying: "Oh I reported you on accident" or "Could you vote for my CSGO team?" Unbelieveable
The problem exists is that there is too many users being hacked, and it's a logistics nightmare. Each case has to be manually handled, and it really is out of steams control. We alone are the only people who can stop this attack, through better security. Want to stop the bad guys? Go through and increase ur security, and ask all your friends to. Maybe we spread it around enough that the problem bevomes not profitable for the bad guys.
 

Ric

Go play TTT.
=(e)=
no matter what you type in this thread, im always gonna give my social security and credit card number to the guy with the Indian accent telling me my PC needs to be cleaned because i got a virus and only he can do it because he works for Microsoft
 

Mary

Rookie
no matter what you type in this thread, im always gonna give my social security and credit card number to the guy with the Indian accent telling me my PC needs to be cleaned because i got a virus and only he can do it because he works for Microsoft
you gotta do what u gotta do to get it fixed. respect đŸ’¯đŸ’¯
 

Ledzo

EGO Is My Life!
=(eGO)=
no matter what you type in this thread, im always gonna give my social security and credit card number to the guy with the Indian accent telling me my PC needs to be cleaned because i got a virus and only he can do it because he works for Microsoft
Indjuns
 

Shark

Poster Extraordinaire
=(e)=
Best defense is user training. My company, like pretty much most corporations out there, does regular cybersecurity training for the average user against phishing and whatnot. People think it's a pain to do and a waste of time but never realize just how important and effect it is.
 

Meyers

meyers is a big dumb idiot
=(eGO)=
Best defense is user training. My company, like pretty much most corporations out there, does regular cybersecurity training for the average user against phishing and whatnot. People think it's a pain to do and a waste of time but never realize just how important and effect it is.
Hopefully your companies success rate after the training is higher than ours. It’s not pretty constantly resetting ad passwords
 
Top