A month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends):
Figure 1 - 'this is for you'Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
Β
The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at all, but rather is an attempt at phishing.
The differences are subtle enough that you may just miss it. When you click on the link, you are redirected to a 'Summer Gift Marathon'.
Figure 2 - Fake Steam website
Once you log in to the fake Steam website, your credentials are stolen and will be used to spread more phishing, likely steal your inventory items and so on.
Other phishing sites related to this campaign are:
New ones do pop up from time to time, so stay vigilant.Β
TipsΒ Β
Only log in on the legitimate Steam community website, this being https://steamcommunity.com/. An extra tip is to bookmark the legitimate site, so even if you do get a message like this, you can go straight to your bookmark and search what you need from there.
Β
If someone new tries to add you as a Friend and immediately sends a message like the above, alarm bells should start ringing.
Β
If someone already on your Friends list suddenly sends a random message with an even more random link out of the blue, cue the alarm bells again.Β
Β
If you want to check the website out in a safe manner, then you can use URLscan.io, which will give you a verdict of the website as well as an image preview. In addition, you can use VirusTotal to review a website's reputation.
Β
Note that an 'all clean' does not necessarily mean it is. Caution above all!Β
Β
Follow Steam's Account Security Recommendations to stay safe.
In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".
Lava from SteamRepΒ brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam credentials.
Indeed, there are some fake versions - we'll discuss two of them briefly.
Fake version #1
The first fake version can be found on steamdesktopauthenticator[.]com. Note that the site is live, and appears at the top of Google Search when searching for "Steam Desktop Authenticator".
Figure 1 - Fake SDA website
When downloading the ZIP file from the website, and unzipping it, we notice the exact same structure as you would when fetching the legitimate package - with one difference: the main executable has been modified.
Note that the current and real SDA version is 1.0.8.1, and its original file size is 1,444 KB - 2 bytes of difference can mean a lot. Figures 2 and 3 below show the differences.
Figure 2 - Sending credentials to steamdesktopauthenticator[.]com
Figure 3 - Sending credentials to steamdesktop[.]com
Indeed, it appears it also attempts to upload to another website - while digging a bit further, we can also observe an email address associated with the domains:Β mark.korolev.1990@bk[.]ru
While I was unable to immediately find a malicious fork with any of these domains, MarkΒ has likely forked the original repository, made the changes - then deleted the fork. Another possibility is that the source was downloaded, and simply modified. However, it is more than likely the former option.
Fake version #2
This fake version was discovered while attempting to locate Mark's fork from the fake version above - here, we have indeed a malicious fork from GitHub, where trades/market actions appear to be intercepted, as shown in Figure 4 below.
Figure 4 - Malicious SDA fork (click to enhance)
Currently, when trying to access the malicious site lightalex[.]ru with a bogus token, a simple "OK" is returned - it is currently unknown whether market modifications would be successful.
Interestingly enough, when digging deeper on this particular domain, which is currently hosted onΒ 91.227.16[.]31, it had hosted other SteamStealer malware before, for exampleΒ cs-strike[.]ru andΒ csgo-knives[.]net.
The malicious fork has been reported to GitHub.
Disinfection
Neither fake SDA versions reported here appear to implement any persistence, in other words; remove the fake version by deleting it, and perform a scan with your current antivirus and a scan with another, online antivirus, or with Malwarebytes for example.
Additionally, de-authorize all other devices by clickingΒ hereΒ and select "Deauthorize all other devices".
Now, change your password for Steam, and enable Steam GuardΒ if you have not yet done so.
Prevention
Prevention advise is the usual, extended advise is provided in a previous blog postΒ here.
You may also want to take a look at SteamRep's Safe Trading Practices here.
SteamStealer malware is alive and well, as seen from my January blog post. This is again another form of attempting to scam users, and variations will continue to emerge.
Follow the prevention tips above or here to stay safe.
Login
