So recently, I've been noticing and monitoring a rather unsettling amount of phishing attacks on steam. Phishing is something that's often not really talked about, and it's wrongfully dismissed. The effects of Phishing are way crazier if you look at the bigger picture.
But first, what is Phishing?
Essentially, Using mock or lookalike apps to steal data such as credentials or financial info.
Why does this matter to you?
Well, in the case of steam, they also like to do a little bit of impersonation. These attacks have multiple victims; You, and anyone who has associated with you. These attacks typically farm credentials to act as you, and attack people in friends lists or people you have messaged in order to try and victimize them as well.. They act like people you may know or your friends and try and trick you into falling for these attacks because it looks like it has been sent from a trusted source. You wouldn't expect your friends to send you something malicious, and they try to exploit that.
This exploits the people around you, along with stealing your credentials(And if you are like the average user, you use the same password in more than one place, now they have those if you aren't careful), and possibly other data like bank info. The impacts of Phishing unlike other methods cause this spreading chain reaction that impacts not just yourself but people around you, and people around them, so on so forth.
What are some examples of phishing in steam?
Lately, I have seen two prevalent attacks. One exploiting via a fake CS:GO Match/Team/Tourny; the other stating that they falsely reported you for scamming.
All of these attacks are carried out by another human. I have yet to see these automated, and it's likely they won't be for some time, as this requires more social engineering than a bot can achieve. Let's talk about the first one.
The premise of this first attack is to get you to log into a dummy form that LOOKS like a real steam form, but instead just harvests the credentials into a database. This attack entirely centers around you logging into something in order to do something seemingly harmless. Sometimes these forms have things that are "red flags" that this isn't a legitimate site, but as the old wisdom goes, don't log into sites you don't trust.
Now, what's interesting about these attacks, is that they CAN BYPASS Steam Guard, as they are stealing cached credentials that already have passed a 2VFA screen. Obviously, this means that now this attack has a lot more fangs, Bypassing 2FA isn't something to shrug at. They can log in at any time until the credentials are changed.
Now, this attack has one major flaw. We as gamers are connected to our friends over multiple platforms typically. My surefire way to test for a red flag is this; Anyone who is on steam I talk to has my discord, and typically they'd message me there before messaging me on steam. If you know the sender, ask them to message you on that other platform. This stops 95% of these attacks, as they don't actually have access to that other platform. This acts as a sort of verification that who you are talking to is actually someone you know. JUST TODAY, I SHIT YOU NOT, my best friend's alt was hacked and they tried this kind of attack. As soon as they asked if I had a min I knew it wasn't my friend, as they would've contacted me on discord way before they would've on steam. I instantly messaged my buddy, and sure enough; wasn't them.
Doing this verification defeated this attack instantly. VERY RARELY from what I've seen will these attackers have access already to multiple accounts, so use that to an advantage.
Ok, that is one type. Now the second one.
The second attack I have seen a lot of is this setup where you will get added or messaged by someone you don't know, asking you if an account they link is your account, this is typically your account. They will claim that they falsely reported you or you have scammed them, and they reported you.
They will then show some sort of falsified evidence that they messaged a "Steam Mod".
They will then ask you to message who they spoke to, in order to settle the dispute. Sometimes, they will ask you to message this "Steam mod" off-platform.
SOMETIMES, they will even build clone accounts that LOOK like your profile. They grab profile pics,. names, descriptions, and even will set vanity URLs, to make the account look as close to yours as they can. They typically will set the profile to private, so as to hide indicators that give it away this isn't you, such as friends, game counts, playtime, etc.
Now, Steam WILL NEVER ask you to message THEM, they will message you via email, not through Steam Messages or other platforms. Valve also implements a more "Ban first, Ask later" mentality. If this was legit, they'd suspend you first, then talk to you. These "Steam Mods" Are not actual Valve Staff, and NEVER share your details with them.
The red flags here are quite large. The people messaging you are people you've never interacted with. They ask you to message them, which steam would never do, and if they deploy these dummy accounts, if you look at them closely they are very clearly fake that just scrape info.
Luckily, unless you follow their instructions, There aren't any hacked accounts involved, All that needs to be done is report and block.
This is some great info, what are some steps I can do to counteract these attacks?
These attacks RELY on exploiting a person and RELY on that person doing something to give them access to the data they want. If you don't click their links, they can't run any sort of scripts in the browser, capture IPs, or steal any data. In RARE CASES, simply clicking a link CAN allow them to run scripts in your browser that can be malicious. These setups are way more sophisticated and dangerous. Most browsers have active protection systems to prevent these kinds of attacks, but it is possible. In less sophisticated attacks, they don't have anything useful until you give it to them, such as logins, or sensitive info.
I know we heard it all the time; "Don't use the same password everywhere", "Don't click links from people", "Don't log into sites you don't recognize", "Don't download stuff from people". But that is the basis of these attacks. They NEED you to do those things in order for this to work. They NEED you to victimize yourself by these practices in order to do anything useful.
So, your usual best practices, Adding 2FA to as much as possible, change passwords every now and again, and take caution even if it appears that they are people you know, love, and trust.
I had asked this, or something to its effect to be posted by leadership a month or so back, and since I haven't seen it, I'm making this post today.
I CANNOT STRESS HOW IMPORTANT IT IS THAT EVERYONE, INCLUDING YOU, TAKES PROACTIVE MEASURES!
I KNOW this sounds like something that doesn't work or something that you can't fall for.
MY BEST FRIEND TODAY, again had an alt compromised to this. He's not someone who slouches on OpSec.
This can happen to ANYBODY, including you.
If you are leadership and you read this, I HIGHLY SUGGEST someone pins this somewhere visible.,
If you are Admin, I am posting a Pt. 2 to this on the forums where you'd expect. Read this too, LE, I strongly urge you to look at both and discuss this internally with your teams
But first, what is Phishing?
Essentially, Using mock or lookalike apps to steal data such as credentials or financial info.
Why does this matter to you?
Well, in the case of steam, they also like to do a little bit of impersonation. These attacks have multiple victims; You, and anyone who has associated with you. These attacks typically farm credentials to act as you, and attack people in friends lists or people you have messaged in order to try and victimize them as well.. They act like people you may know or your friends and try and trick you into falling for these attacks because it looks like it has been sent from a trusted source. You wouldn't expect your friends to send you something malicious, and they try to exploit that.
This exploits the people around you, along with stealing your credentials(And if you are like the average user, you use the same password in more than one place, now they have those if you aren't careful), and possibly other data like bank info. The impacts of Phishing unlike other methods cause this spreading chain reaction that impacts not just yourself but people around you, and people around them, so on so forth.
What are some examples of phishing in steam?
Lately, I have seen two prevalent attacks. One exploiting via a fake CS:GO Match/Team/Tourny; the other stating that they falsely reported you for scamming.
All of these attacks are carried out by another human. I have yet to see these automated, and it's likely they won't be for some time, as this requires more social engineering than a bot can achieve. Let's talk about the first one.
The premise of this first attack is to get you to log into a dummy form that LOOKS like a real steam form, but instead just harvests the credentials into a database. This attack entirely centers around you logging into something in order to do something seemingly harmless. Sometimes these forms have things that are "red flags" that this isn't a legitimate site, but as the old wisdom goes, don't log into sites you don't trust.
Now, what's interesting about these attacks, is that they CAN BYPASS Steam Guard, as they are stealing cached credentials that already have passed a 2VFA screen. Obviously, this means that now this attack has a lot more fangs, Bypassing 2FA isn't something to shrug at. They can log in at any time until the credentials are changed.
Now, this attack has one major flaw. We as gamers are connected to our friends over multiple platforms typically. My surefire way to test for a red flag is this; Anyone who is on steam I talk to has my discord, and typically they'd message me there before messaging me on steam. If you know the sender, ask them to message you on that other platform. This stops 95% of these attacks, as they don't actually have access to that other platform. This acts as a sort of verification that who you are talking to is actually someone you know. JUST TODAY, I SHIT YOU NOT, my best friend's alt was hacked and they tried this kind of attack. As soon as they asked if I had a min I knew it wasn't my friend, as they would've contacted me on discord way before they would've on steam. I instantly messaged my buddy, and sure enough; wasn't them.
Doing this verification defeated this attack instantly. VERY RARELY from what I've seen will these attackers have access already to multiple accounts, so use that to an advantage.
Ok, that is one type. Now the second one.
The second attack I have seen a lot of is this setup where you will get added or messaged by someone you don't know, asking you if an account they link is your account, this is typically your account. They will claim that they falsely reported you or you have scammed them, and they reported you.
They will then show some sort of falsified evidence that they messaged a "Steam Mod".
They will then ask you to message who they spoke to, in order to settle the dispute. Sometimes, they will ask you to message this "Steam mod" off-platform.
SOMETIMES, they will even build clone accounts that LOOK like your profile. They grab profile pics,. names, descriptions, and even will set vanity URLs, to make the account look as close to yours as they can. They typically will set the profile to private, so as to hide indicators that give it away this isn't you, such as friends, game counts, playtime, etc.
Now, Steam WILL NEVER ask you to message THEM, they will message you via email, not through Steam Messages or other platforms. Valve also implements a more "Ban first, Ask later" mentality. If this was legit, they'd suspend you first, then talk to you. These "Steam Mods" Are not actual Valve Staff, and NEVER share your details with them.
The red flags here are quite large. The people messaging you are people you've never interacted with. They ask you to message them, which steam would never do, and if they deploy these dummy accounts, if you look at them closely they are very clearly fake that just scrape info.
Luckily, unless you follow their instructions, There aren't any hacked accounts involved, All that needs to be done is report and block.
This is some great info, what are some steps I can do to counteract these attacks?
These attacks RELY on exploiting a person and RELY on that person doing something to give them access to the data they want. If you don't click their links, they can't run any sort of scripts in the browser, capture IPs, or steal any data. In RARE CASES, simply clicking a link CAN allow them to run scripts in your browser that can be malicious. These setups are way more sophisticated and dangerous. Most browsers have active protection systems to prevent these kinds of attacks, but it is possible. In less sophisticated attacks, they don't have anything useful until you give it to them, such as logins, or sensitive info.
I know we heard it all the time; "Don't use the same password everywhere", "Don't click links from people", "Don't log into sites you don't recognize", "Don't download stuff from people". But that is the basis of these attacks. They NEED you to do those things in order for this to work. They NEED you to victimize yourself by these practices in order to do anything useful.
So, your usual best practices, Adding 2FA to as much as possible, change passwords every now and again, and take caution even if it appears that they are people you know, love, and trust.
I had asked this, or something to its effect to be posted by leadership a month or so back, and since I haven't seen it, I'm making this post today.
I CANNOT STRESS HOW IMPORTANT IT IS THAT EVERYONE, INCLUDING YOU, TAKES PROACTIVE MEASURES!
I KNOW this sounds like something that doesn't work or something that you can't fall for.
MY BEST FRIEND TODAY, again had an alt compromised to this. He's not someone who slouches on OpSec.
This can happen to ANYBODY, including you.
If you are leadership and you read this, I HIGHLY SUGGEST someone pins this somewhere visible.,
If you are Admin, I am posting a Pt. 2 to this on the forums where you'd expect. Read this too, LE, I strongly urge you to look at both and discuss this internally with your teams