An elaborate scam has been found, according to Bleeping Computer, that promises a free Steam game but instead, steals a user’s account, takes control and then incorporates the victim’s account to target the victim’s friends. The scam works by sending the user a URL that promises a free Steam game. When the user visits the website, they are redirected to a site that the hacker controls. The hacker’s site looks very professional site, which has a button to “roll” for a random free game. The attackers use some of the most popular games such as PUBG, CSGO, Tropico4, Assassin’s Creed and more. Once the roller stops, the site will display part of a Steam code and a link to login to the user’s Steam account. The login page is controlled by the attacker and once the user enters their credentials, the hacker starts changing the account’s password, email address, and associated phone number. The hackers then use the stolen account to message the victim’s friends with the scam and if the victim has game items saved, will steal and/or sell off the stolen inventory. If the attackers change the email address, the original will receive a change in address notification. Due to the speed of the victim’s inventory being removed, Steam stated that they will not restore the lost items.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased