Steam players – beware of fake skins as phishers try to hijack accounts

Phishing scammers have once again targeted users of the popular Steam gaming service, it was revealed this week.

The credential-stealing scam, first reported by security researcher ‘nullcookies’ on Twitter, offers new skins every day. A skin is a modification providing a new look and feel for items in Steam’s online games, and they are in hot demand. There are entire digital marketplaces dedicated to trading them.

The scammers post to a Steam user’s profile. A typical message reads:

Dear winner! Your SteamID is selected as winner of Weekly giveaway. Get your ☆ Karambit | Doppler on giveavvay.com.

A quick search reveals over a hundred Steam profiles displaying similar text.

The URL, which Cloudflare now flags as a suspected phishing scam, appears to be down. The screenshot posted on nullcookies’ Twitter account shows a site offering a $30,000 giveaway, featuring a selection of 26 loot boxes.

Picture-in-picture Steam phish using a bogus giveaway as bait.

giveavvay^.com

Of interest: webdev0^.com/base/js/faker_secrets.js pic.twitter.com/tFJQgiLpmU

— nullcookies (@nullcookies) November 30, 2019

Bleeping Computer explains that the site asked for a user’s login credentials, promising that in exchange, the words STEAM RAIN would appear in a chat window on the left of the screen. Clicking on the link would score the victim one of the free skins on offer that day, said the scam site.

The chat window was, of course, a fake, as was the whole proposition. Victims who clicked on the link met a fake Steam login form that took their information for the crooks to use. That enabled them to perpetrate more fraud by using the victim’s account to post the same phishing link.

This phishing attack is notable because it is so convincing. Often, phishing websites feature poor language or spelling mistakes, but this scam went to extra lengths to convince victims that it was real. For example, the crooks reportedly used JavaScript to randomly select phrases from a list, periodically updating the chat window.

The site even included a faux Steam Guard two factor authentication (2FA) screen that sends a special access code to the address that the user entered, just as Steam’s real 2FA mechanism does. This all helped to lull the user into a false sense of security.

Phishing scams gravitate towards heavily used online services like banks and popular email account providers. Steam is one of the most successful online gaming providers, peaking at around 14.5 million concurrent users this week. It’s no wonder, then, that this isn’t the only phishing attack that its users have endured.

Other scams have reportedly lured gamers into clicking on screenshots of items offered for sale, triggering drive-by downloads, while some phishers have pretended to be Steam’s operators warning of a security problem.