Steam Stealer Malware ‘Booming Business’ for Attackers Targeting Gaming Service

A new type of malware that targets Steam accounts has proliferated the gaming service and become a “booming business” for cybercriminals over the last few months.

Malware that targets Steam accounts has proliferated the gaming platform and become what researchers are calling a “booming business” for cybercriminals over the last few months.

The popular platform, owned by Valve, boasts 140 million users and is so ripe for attacks that according to the company, nearly 77,000 of them are tricked into giving up their sensitive information each month.

Gamers on Steam, an internet based, multiplayer video game distribution network, frequently trade items with other gamers. Most use a credit card to buy content for games.

Santiago Pontiroli, a researcher with Kaspersky Lab’s Global Research and Analysis Team, and Bart P, an independent security researcher, published a thorough analysis of the service on Tuesday on Securelist and examined how malware targeting it has evolved through the last few years.

Attackers, especially over the last few months, have taken to using Steam Stealer, a type of malware used to steal credentials that originally evolved from code on a Russian forum and comes complete with upgrades, manuals, and advice for distribution. The malware is customizable, with “many APIs and libraries available that interface seamlessly with the Steam platform,” the researchers write.

The malware is mainly spread via fake, cloned websites, or via social engineering; attackers sending direct messages to victims.

The malware has propagated chiefly because it’s cheap and easy to use, the researchers claim. While some stealer builds cost around $15, few builds exceed $30 USD. Most are as cheap as $3. For just $7, a cybercriminal can purchase a stealer, in addition to source code and a user manual, something that’s really opened the malware-as-a-service tools to more hackers.

“The focus on selling stealers to anyone with money to spend means that a staggering number of script-kiddies and technically-challenged individuals resort to this type of threat as their malware of choice to enter the cybercrime scene” Pontiroli and Bart P said.

In the past attackers have dropped the malware on users via URL shortening services, storage sites like Dropbox and Google Docs, and a handful of phony game servers, fake voice software and screenshot sites. Recently attackers shifted to using fake Chrome extensions and gambling sites that claim to help users but in reality steal items and other information from unsuspecting users. Attackers have even begun using AutoIT wrappers to avoid detection and deploying RATs, like NanoCore and DarkComet, to spread Steam Stealers further.

The researchers state that over time, the attackers upped their social engineering game, made bots better at mimicking human behavior, and improved their delivery methods.

While Steam Stealers may be “rampant” however, the two insist that there are mitigations that Steam has implemented to prevent gamers from getting their information plundered.

Blocking URLs throughout the service, enabling two-factor authentication, and restricting chat invitations from strangers are just a few things users can do to thwart attackers wielding Steam Stealers.

“Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target,” the researchers write.

Steam has never been a failsafe platform for gaming.

Last year Valve was forced to patch a vulnerability in the service that could’ve let an attacker hijack a users’ account by resetting their password. Back in April 2014, because of a separate vulnerability, researchers found a way to circumvent protections in place by the service’s two-factor authentication tool, Steam Guard.

Suggested articles

ThreatList: Latest DDoS Trends by the Numbers

Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them “far more dangerous.”

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.