A new Kaspersky Lab report (pdf) by security researchers Santiago Pontiroli and Bart P looks at the big business of Steam Stealers that “have turned the threat landscape for the entertainment ecosystem into a devil’s playground.”
Wannabe cyber crooks might turn to malware which steals Steam credentials because it’s incredibly cheap. The report said $3 will buy usage rights for a Steam platform credential stealer and $7 adds source code and a user manual. Researchers said comparative malicious campaigns usually start at the $500 range. There are Steam Stealers which cost more, but “it would be hard to find any stealer being sold for more than $30.”
The “Steam Stealer” breed of malware is simple to operate and is offered all over the place. In fact, the report says a “staggering number of script-kiddies and technically-challenged individuals resort to this type of threat as their malware of choice to enter the cybercrime scene.”
Steam has had a lot of problems with hijacked accounts over the years. “The ‘I got hacked’ story is told so frequently it's become commonplace,” Valve said in December. At that time, it was seeing about “77,000 accounts hijacked and pillaged each month” and so it deployed security changes.
The researchers were somewhat overwhelmed by what they found while investigating the many and varied types of Steam Stealers, saying, “While collecting samples for this research we quickly became aware of how much we had underestimated the size of this campaign.” The report details numerous Trojans used to steal credentials and the percentage of infected gamers by country between January 2015 to January 2016.
Steam Stealer malware morphed from having no security measures to having obfuscated code in an attempt to sneak past detection software. Past trends include the malware bypassing Steam’s CAPTCHA, being integrated into binaries for fake TeamSpeak and Razer Comm software, and the use of Dropbox, Google Docs, Pastebin and others to host or fetch the stealers. Steam Stealers often include .NET support. “The rise of Trojans and the increased use of Microsoft’s flagship development framework go hand in hand,” the researchers wrote, “making the lives of all developers (including those with a not so white hat) easier.”
The researchers showed off the image below as “an almost perfectly-cloned website for the gaming messenger Razer Comms, which, together with TeamSpeak is one of the most popular baits used by cybercriminals.”
Although the report referenced the new Steam record of more than 12 million concurrent players, the Christmas attack and caching issues which ultimately resulted in 34,000 gamers having their personal information served up to strangers, the researchers also listed current Steam Stealer trends. Gamers should be aware of the use of fake Chrome extensions, such as was used to steal from gamers’ Steam inventory. And believe it or not, “with the surprising price of hard-to-get items, ‘inventory stealing’ is not going away anytime soon and it reveals new methods for obtaining goods from its victim.”
Other current Steam Stealer trends include the use of fake gambling sites, fake deposit bots, AutoIT wrappers in an attempt to make analysis more difficult, and the use of RATs such as NanoCore or DarkComet. Cyber thugs in Eastern Europe have long been interested in stealing Steam credentials; with over a 125 million active Steam accounts worldwide and more than 7,000 games on Valve’s multi-OS platform, it’s too juicy of a target to stop attracting cybercriminals worldwide.
While the researchers’ predictions for what’s to come include “several interesting ideas,” they “do not want to give the creators of Steam Stealers a roadmap for their activities.” They added, “We have already seen ransomware attacking videogame players with creations such as ‘TeslaCrypt’, and we fear that combining different malware families could become a potential nightmare and up the ante in this never-ending game.”
The researchers advised gamers to stay on top of Steam’s updates and new security features. “Enable two-factor authentication via Steam Guard as a bare minimum,” they wrote before adding:
Bear in mind that propagation is mainly (but not solely) done either via fake cloned websites distributing the malware, or through a social engineering approach with direct messages to the victim. Always have your security solution up to date and never disable it; most products nowadays have a “gaming mode” which will let you enjoy your games without getting any notifications until you are done playing. We have listed all the options Steam offers users to protect their accounts. Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target. Follow these simple recommendations and you will avoid becoming the low hanging fruit.
You can read more on Kaspersky’s Securelist blog or via the research paper (pdf).