Gamers Beware: Malware Hunts Steam, Epic and EA Origin Accounts

The BloodyStealer trojan helps cyberattackers go after in-game goods and credits.

There’s a new cybersecurity threat to gamers: An advanced trojan, dubbed BloodyStealer, has emerged on underground forums and is being used to steal gamer accounts on various platforms, including Steam, Epic Games Store and EA Origin.

Demand for stolen gamer data throughout the underground markets is increasing, experts at Kaspersky say, making compromising those accounts a priority for cybercriminals of all stripes. And BloodyStealer makes it a snap, for cheap.

The first signs of BloodyStealer, according to Kaspersky’s latest report on gaming threats, emerged last March on the Dark Web, where it was being sold for less than $10 for a one-month subscription — and for just $40 for a lifetime subscription.

Stolen Gamer Accounts Selling for an ‘Attractive Price’

The stealer swipes data, including cookies, passwords, forms, bank-card information saved in browsers, screenshots, login memory and application sessions, according to Kaspersky.

The research also found a big demand on the darknet for stolen gamer accounts. Kaspersky observed these accounts are selling for about $14.20 for 1,000 accounts — which equates to anywhere from 1 percent to 30 percent of the price these accounts would demand if sold individually. The report added that those rates represent an “attractive price” for cybercriminals.

Access to accounts means access to in-game goods and credits. In-game purchases are what make gaming profitable, and according to James McQuiggan, security awareness advocate at KnowBe4, add-ons are also the big prize for threat actors.

“Online gaming is very profitable for the developers, mainly because of the add-ons or additional features provided by paying a little extra for an outfit or weapon for a character,” McQuiggan said. “These all add up, and if a cybercriminal gains access to the user’s profile, they can sell off or steal the material and leave the victim virtually penniless.”

BloodyStealer’s Anti-Debugging Tools  

Ads for the malware promised that BloodyStealer could evade detection, analysis and even reverse engineering, which is why Kaspersky researchers said they decided to take a closer look. They reported BloodyStealer does use packers and anti-debugging tools that make detection more challenging.

“The stealer is sold on the underground market and customers can protect their sample with a packer if they prefer, or use it as part of another multi-stage infection chain,” the report added.

Kaspersky’s gaming report added that BloodyStealer attacks have already been detected in Europe, Latin America and the Asia-Pacific region. The attackers have multiple places they can go to sell the stolen account data, including Telegram channels dedicated solely to selling gamer account access, researchers said.

The pandemic and resulting increase in screen time has helped fueled a renewed general interest in attacking gaming platforms, according to Akamai’s 2020 gaming report released in June. In fact, Akamai found a staggering 340 percent jump in attacks on the gaming industry in 2020.

Gamer Account Data Protections

It falls largely on gamers themselves to know how to keep their account information protected. Kaspersky recommends reviewing all account settings, enabling two-factor authentication and being very cautious about both external clicks and downloads.

“Gaming accounts are clearly hunted by cybercriminals, so if you want to enjoy gaming peacefully and not worry that your in-game credit or accounts will be gone, make sure you protect your account through two-factor authentication and use a reliable security solution to protect your devices,” Kaspersky researcher Dimitry Galov advised.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.


Suggested articles