Spoof site seeks to dupe users with well-crafted pop-up

Video game fans have once again been urged to exercise caution when it comes to clicking links that appear in their Steam account inbox, after one researcher discovered an “innovative” phishing technique that does a pretty good job of masking the scammers’ intentions.

As one of the world’s biggest digital distribution platforms for video games, Steam features a range of community UX elements, such as friends lists and the ability to trade in-game items with other users.

While this strong community focus has helped Steam to stand out in an increasingly crowded marketplace, it also leaves users open to deceptive practices.

The need for vigilance on the platform was again underlined over the weekend, when a 22-year-old computer science major with the handle ‘Aurum’ provided details of a new phishing scam making the rounds.

“Near the end of the ‘trade’ discussion, [the scammer] asked me to log in to a convenient Steam backpack pricing website so they could get an idea of how much my stuff was worth,” Aurum said.

“The site in question was our fancy phishing website, https://[redacted].cash. The website was essentially a copy of a legitimate Steam trading website, https://skins.cash.”

According to the researcher, not only did the phishing site attempt to dupe users with a valid SSL certificate, a small piece of JavaScript would trigger a pop-up saying that the server was under high load and asked the victim to login with their Steam account for access to the site.

Although the scammers had created a legitimate-looking pop-up, Aurum discovered it did not result in two instances of Chrome in the task bar, and that it was “just a drawn up window inside of the phishing website”.

“They had even made some clickable buttons for the Chrome UI elements,” he said. “This was confirmed by trying to right click on the title bar area of the pop-up, which opened up the right click context menu of a web page instead.”

Scam powered

Attacks of this nature are certainly nothing new. A similar technique is outlined in this paper from way back in 2007.

However, the use of positive trust indicators and an anti-debugging script, which serves to hinder the investigative efforts of tech-savvy users, suggests that scammers are going to increasing lengths to steal your account details.

Steam already includes detailed guidance aimed at helping users keep their accounts safe.

The Daily Swig has reached out to the platform’s owners, Valve Corporation, for further comment.

RELATED Epic Games to Fortnite players: ‘Secure your accounts now’