New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Elaborate Steam Account Theft Scam

An elaborate scam has been found, according to Bleeping Computer, that promises a free Steam game but instead, steals a user’s account, takes control and then incorporates the victim’s account to target the victim’s friends.  The scam works by sending the user a URL that promises a free Steam game. When the user visits the website, they are redirected to a site that the hacker controls. The hacker’s site looks very professional site, which has a button to “roll” for a random free game. The attackers use some of the most popular games such as PUBG, CSGO, Tropico4, Assassin’s Creed and more. Once the roller stops, the site will display part of a Steam code and a link to login to the user’s Steam account. The login page is controlled by the attacker and once the user enters their credentials, the hacker starts changing the account’s password, email address, and associated phone number. The hackers then use the stolen account to message the victim’s friends with the scam and if the victim has game items saved, will steal and/or sell off the stolen inventory.  If the attackers change the email address, the original will receive a change in address notification. Due to the speed of the victim’s inventory being removed, Steam stated that they will not restore the lost items.

Analyst Notes

If a user falls for this scam and receives the email notification that their email has been changed, the user can open an account recovery support ticket and Steam will help recover the hacked account. Attackers are showing more complexity in their scams so it should be remembered to only enter Steam login credentials on the official website https://steamcommunity.com. It is also recommended to have 2-factor authentication configured. Lastly, if it seems too good to be true then it isn’t.