Despite the fact that the one-to-many type of malicious campaign continues dominating the threat landscape, cybercriminals are constantly looking for new ways to better tailor their campaigns to the needs, wants, and demands of potential customers. Utilizing basic marketing concepts such as localization, market segmentation, as well as personalization, today’s sophisticated cybercriminals would never choose to exclusively specialize in one-to-many or one-to-one marketing communication strategies. Instead, they will multitask in an attempt to cover as many market segments as possible.
In this post, I’ll emphasize on a targeted attacks potentially affecting Steams’ users, thanks to the commercial availability of a DIY (do it yourself) Steam ‘information harvester/mass group inviter’ tool, currently available at multiple cybercrime-friendly online communities. What’s so special about the application? How would cybercriminals potentially use it to achieve their fraudulent objectives? How much does it cost? Is the author/vendor of the application offering access to its features as a managed service?
For years, cybercriminals have been trying to capitalize on the multi-billion dollar PC gaming market. From active development of game cracks and patches aiming to bypass the distribution protection embedded within the games, to today’s active data mining of a botnet’s infected population looking for gaming credentials in an attempt to resell access to this asset, cybercriminals are poised to capitalize on this market.
What are some current trends within this market segment, and how are today’s modern cybercriminals monetizing the stolen accounting data belonging to gamers internationally? Pretty simple – by automating the data mining process and monetizing the results in the form of E-shops selling access to these stolen credentials.
In this post, I’ll profile a recently launched Russian service selling access to compromised Steam accounts.
A phishing campaign that started around the beginning of the year, targeting gamers who use Valve Software’s Steam network, continues unabated but with a twist: The phishers have registered dozens of domain names, such as trial-steam.tk or steamcommunity###.tk (where the ### can be a two or three digit number), which are used to host the phishing pages. The pages appear to be a “Steam Community” login page which looks identical to Valve’s Steam Community Web site.
There are a few ways you can quickly identify whether you’re on the right page, or a fake. For one, the real Steam Community page is a secure HTTP page, so you should see the “https” in the address bar, and the lock icon in the corner of the browser window. By clicking on this icon, you can view the valid security certificate information, which clearly shows that the site is owned by Valve.
Another way you can tell that you’re on the correct Steam login page is to try using the “Select your preferred language” dropdown at the top of the window to change to any language other than English. If you’re on Steam’s page, the language will change; If you’re on the phisher’s page, it simply refreshes and remains set to English, no matter which language you pick. Also, the real Steam page features a cartoony graphic of “players” chatting amongst themselves which changes periodically. The phishers’ pages always have the same static graphic, shown above.