Steam vulnerability allows hackers to bypass security and swipe account data


Malwarebytes has uncovered a way for hackers to steal Steam accounts while bypassing an additional security measure.
When logging in on a PC you haven't used before, Steam Guard will appear as a window asking for a verification code that will have been sent to your email address. Without the code, you can't log in. Malwarebytes claims to have found that scammers have come up with a way to get around this security measure.
"Typically a Steam phish page asks for Username and Password, like all phish attacks - often these can be foiled by enabling Steam Guard on your account," said Malwarebytes intelligence analyst Christopher Boyd in a blog post sent exclusively to The INQUIRER.
"A potential victim will navigate to the phish page, and enter their Username and Password. At this point, they'll be greeted with a popup box very similar to the usual Steam Guard popup box."
This box reads: "We see you're logging in to Steam from a new browser or a new computer. Or maybe it's just been a while... As an added account security measure, you'll need to grant access to this browser by uploading the special ssfn* file from your Steam folder... [The] Ssfn* file contains your ID number and located in a directory Steam folder (.../Program Files/Steam/ssfn* )."
The SSFN file is what allows you to avoid having to verify your identity through Steam Guard every time you login to Steam on your PC. If you delete it, you have to revisit your email account and dig out another verification code. After you've done this, a new SSFN file is created in the Steam folder and you're back to being protected by an additional layer of security.
"We did some testing and can confirm that this technique - asking a victim to send their SSFN file to the scammer - does indeed work," Boyd explained, adding that attempting to login to a Steam Guard protected account from a new machine will result in a box which says: "Hello! We see you're logging in from a new computer. As an additional security measure, you'll need to grant access to this computer by entering the special code we've just sent to your email address."
Boyd said that at this point, the scammer would be foiled unless they also have access to the victim's email account. "However, let's assume the victim here has sent their SSFN file via a phishing page," he said. "From there, we take the victim's SSFN file, drop it into the Steam directory on the scammer's computer, try to login again and success! We're in."
Malwarebytes said this phishing scam has been around for at least a month or so and after further investigation, it came across a thread on Reddit about it.
"Compromised Steam accounts are big business, especially for those wanting to hijack accounts which have rare in-game items in their inventory. They'll 'trade' the items off to an account owned by the scammer, who will then go on to sell them for their own gain on the Steam Marketplace, buying games with the newly acquired funds in their Steam Wallet," Boyd said.
"Not to mention, they can play all your games for free while logged in as you."
While logged in as a Steam user, the scammer will also be able to see the victim's purchase history, change the current email address, current Steam password, disable Steam Guard, change the profile name and update the stored payment method. Although Malwarebytes said that they can't make purchases with the stored card because Steam requires you to re-enter the security code when making payments.
Malwarebytes has made Steam aware of the issue and said the Steam forum mods are warning users that sending scammers their SSFN files will not end well.
Boyd said that Steam needs to start letting people know that sometimes uploading files to strange destinations can also result in a bad experience for all concerned, "except the scammer, who is having a wonderful time in your copy ofHalf-Life 2".
In March, Malwarebytes found a Trojan circulating through the Facebook social network, stealing account data and credentials.
The Trojan spreads through Facebook's Messenger service by messaging a victim pretending to be one of their friends with the term "LOL" accompanied by a file waiting to be downloaded, which appears to be a photo, named "IMG_xxxx.zip".