Recently, the Zscaler ThreatLabZ team came across multiple fake Counter-Strike: Global Offensive (CS:GO) skin websites aimed at stealing Steam credentials. These sites use an uncommon phishing technique that is difficult to detect. A similar campaign was seen in December 2019 and the campaign is still up with few enhancements, such as using a fake browser pop-up window for login along with some anti-analysis techniques, which are discussed in this blog.
Steam is a video game digital distribution service that provides automatic updates for various games. Steam has also expanded into an online web-based and mobile digital storefront. Steam offers digital rights management (DRM), matchmaking servers, video streaming, and social networking services, and it provides users with installation and automatic updates of games as well as several community features.
Steam is highly popular among gamers as it allows for multiplayer capabilities. How popular? According to statistics on the company website, the Steam platform has between 10 and 20 million concurrent users playing on any given day. At the time of this publication, the Steam site was showing more than 700,000 users currently playing CS:GO. The all-time peak number of concurrent users for CS:GO was 854,801.
Due to its popularity, the Steam platform has also become a popular target for attack. Cybercriminals will attempt to hijack a Steam account so they can launch other scams and attacks and steal or trade the victim's items.
The phishing site looks much like the real one. To make the phishing sites appear more legitimate, there is a fake chatbox with randomly selected phrases based on current events. The following screens show the phishing CS:GO site (top) and the actual CS:GO site (bottom).
Figure 1: Phishing CS:GO site
Figure 2: Legitimate CS:GO site
To perform a custom search or add items to a cart, users are asked to sign in with their Steam credentials. As the user clicks on the “Sign in through STEAM” button, a Steam login window pops up.
Figure 3: The Steam login window
Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others.
In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.
Figure 4: The fake browser pop-up window disappears beyond the edge
Figure 5: The fake browser pop-up window created using HTML
From the above screenshot, you can see that the browser header, address bar, and buttons to resize the window all are designed in HTML. Attackers have designed it precisely to make it look legitimate; for example, the color of the domain is slightly darker than the URI portion, and the color of the HTTPS part changes on mouseover.
When the victim clicks on the “Sign in through STEAM” button, the above discussed fake browser pop-up gets loaded from the below URL.
Figure 6: The fake Steam login page, which is used as a pop-up on the main page
If a user falls for this phishing and enters the login credentials, the credentials are sent to the attacker and the user is redirected to the legitimate site (hxxps://bitskins[.]com).
After two levels of deobfuscation, we can see the script that detects whether the browser console is open. If it is open, the script activates a function, debug322(), which executes a “debugger” statement to stop the execution of the code.
Figure 8: The deobfuscated code to detect the browser console
Figure 9: The execution of the “debugger” statement as the console is opened
As of now, ThreatLabZ has detected more than 200 domains as part of this campaign, and there are multiple other templates used in this campaign with similar functionalities, as discussed above.
Figure 11: Some of the different templates used in this campaign
Phishing campaigns are getting more sophisticated day by day, and attackers are using new and lesser-known techniques in these campaigns. Most of the common checks that a user does before entering the login credentials to any website may not work in this campaign, such as checking the domain, use of HTTPS, etc. The Zscaler ThreatLabZ team is actively working on detecting and providing coverage from such attacks.
As always, our best advice to protect yourself is to only log in to Steam directly from the steampowered.com domain. If you are using another site that wants to log in through Steam, be sure to thoroughly research the site before entering any login credentials.