Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Distributed Through Twitch Chat Is Hijacking Steam Accounts

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes If you use Twitch don't click on any suspicious links in the video streaming platform's chat feature. Twitch Support's official Twitter account issued a security warning telling users not to click the "csgoprize" link in chat. According to f-secure, the link leads to a Java program that asks for your name and email. If you provide the info it will install a file on your computer that's able to take out any money you have in your Steam wallet, as well as sell or trade items in your inventory. "This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry," says F-Secure. "It even dumps your items for a discount in the Steam Community Market. Previous variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster."

53 comments

  1. Slashvertisement by Anonymous Coward · · Score: 2, Funny

    Steam extended summer sale extrazaganza 35% off select games now!

    1. Re:Slashvertisement by Anonymous Coward · · Score: 0

      Steam doesn't have an official market for second hand games. It's 35% off tradeable items and vouchers only.

  2. And how is this a problem? by Anonymous Coward · · Score: 0

    To normal people. If you live life loose you lose what you didn't want anymway. Put that in your radiator and sit on it.

  3. I do not understand by Taco+Cowboy · · Score: 3, Insightful

    If someone wants me to type in my account and then my password I won't

    I really won't

    Common sense tells me that no one has any right to demand me to type in my account name/number and then my password

    That is why I do not understand why there _are_ people who are simply void of any common sense

    Ain't there enough stories of scams already? Why can't those people learn _anything_ from the mistakes of others?

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:I do not understand by TheRealQuestor · · Score: 4, Informative

      If someone wants me to type in my account and then my password I won't

      I really won't

      Common sense tells me that no one has any right to demand me to type in my account name/number and then my password

      That is why I do not understand why there _are_ people who are simply void of any common sense

      Ain't there enough stories of scams already? Why can't those people learn _anything_ from the mistakes of others?

      Except in this case it does not. It asks for your name and email. Nowhere does it say anything about a password.

    2. Re:I do not understand by Nyder · · Score: 2, Informative

      If someone wants me to type in my account and then my password I won't

      I really won't

      Common sense tells me that no one has any right to demand me to type in my account name/number and then my password

      That is why I do not understand why there _are_ people who are simply void of any common sense

      Ain't there enough stories of scams already? Why can't those people learn _anything_ from the mistakes of others?

      No where do they say they are asking for the steam account info. Fake raffle wants a username/email & password to sign up, then it installs a program that access your steam stuff. most people on their home computer either have steam running all the time and are logged in, or auto log in.

      I do don't do twitch.tv and I don't bother signing up for online raffles or anything claiming i will win something, because that is stupid.

      But yes, giving your account info out is very dumb, but I don't think that is the case here from the summary & article.

      --
      Be seeing you...
    3. Re:I do not understand by mwvdlee · · Score: 2

      Why would it be a raffle or some other semi-sleazy subject?

      Asking for a username and email is standard practice for pretty much any kind of website signup.

      If I were into gaming enough to watch somebody else play a specific game on Twitch and somebody posted a link to a legit-looking site claiming to provide me a valuable service for that specific game, I might well be fooled.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    4. Re:I do not understand by Drethon · · Score: 1

      Yes but isn't there enough history about the internet that says "Don't click links from people you don't trust?". Not that pretty much anyone hasn't broken that rule at one time or the other.

    5. Re:I do not understand by Anonymous Coward · · Score: 0

      So how does it empty your Steam account with just your name and email? Attach the email address password and do a password reset on the Steam account? Hit up Valve and tell them you're locked out and can't access the email associated with your Steam ID?
       
      There must be something more to it. Knowing my name and email address isn't enough to get you into my email, let alone any other account.

    6. Re:I do not understand by Anonymous Coward · · Score: 0

      Forget it, answered my own question. "Raffle" is in Java. After sign up, it's used as a dropper for a Windows executable payload (RAT of sorts).

    7. Re:I do not understand by Anonymous Coward · · Score: 0

      This is a trojan horse. It doesn't need your login or password. It just looks for an already-open Steam client on your machine and does all of its work through that. RTFA.

    8. Re:I do not understand by datavirtue · · Score: 1

      People are used to a computer telling *them* what to do. It is our basic authority worship. Remember the Wizard of Oz?

      --
      I object to power without constructive purpose. --Spock
    9. Re:I do not understand by mattventura · · Score: 1

      I wouldn't say so much as "devoid of common sense", but rather "trained to ignore warnings"

      Microsoft is probably the biggest offender here. In trying to provide better security to the end user, they end up bombarding them with warnings, which mean nothing bad 99% of the time (e.g. IE ssl warnings, UAC warnings, etc). Users start to think nothing of these, so they just start to ignore them.

      Not to mention, there's 8 million ways to scam people on steam, most of which don't involve malware. And yes, when trading items away for nothing in return, it even makes you confirm "Yes, this is a gift" yet people still fall for scams left and right.

    10. Re:I do not understand by Anonymous Coward · · Score: 0

      Microsoft is probably the biggest offender here. In trying to provide better security to the end user, they end up bombarding them with warnings, which mean nothing bad 99% of the time (e.g. IE ssl warnings, UAC warnings, etc). Users start to think nothing of these, so they just start to ignore them.

      I don't think it is fair to blame MS for that. 99+% of the people trying to get through a military checkpoint, much less the front security desk get through too. Doesn't mean that the guys in turbans waving rifles and wearing bulky vests should just be waved through...

    11. Re:I do not understand by Anonymous Coward · · Score: 0

      It doesn't need to ask it just has to wait for you like any other malware and since it is malware I'm sure it attacks far more than just steam accounts.

    12. Re:I do not understand by TheRealQuestor · · Score: 1

      There is but it still seems that people do it and do it a LOT. I'm both sad and glad as it keeps me in a job :)

    13. Re:I do not understand by Drethon · · Score: 1

      Ah yes, job security by other's idiocy. Makes you wonder what the world would be like if people followed instructions.

  4. Morons. by Anonymous Coward · · Score: 1, Insightful

    Several things annoyed me with this.

    1) gamers that don't run basic AV
    2) gamers that don't run sandboxing software over their browser (Sandboxie for example, shits TRIVIAL to use and is even foolproof!)
    3) people DOWNLOADING programs for competitions...
    4) actually wanting to play CS Go. The worst sin of them all.
    5) Twitch still hasn't word-banned people typing these messages and any variants. It's not like their servers would break, they already have filters in place.

    Let them suffer. These are the kind of morons that probably also ran / run Internet Explorer with 5 bars taking up 1/3 the height of their screens so they can search products or use FUNNY SMILIES IN YOUR EMAILS.

    1. Re:Morons. by Anonymous Coward · · Score: 1

      "Basic AV" is useless against any determined attacker. Yes, in a few weeks, maybe even in a few days if the AV is really "good", the AV would find the trojan horse that you installed, but the one you installed disabled all defenses and the one you'd get in a few weeks or days is different enough that your AV won't do anything then. People with common sense don't need AV and people without common sense are not helped by AV. I see the remnants of the infection vector all the time: Installers, usually of some tool for downloading music or video or a "codec", sitting in the download folder. When scanned from outside the system, they're obvious trojan horses, but the AV in the system doesn't find anything bad about them.

    2. Re:Morons. by Anonymous Coward · · Score: 2, Insightful

      FREE SHIT! CLICK HERE! still works even on gamers.

      and the bar for 'gamer' is really really low these days anyway.

    3. Re:Morons. by Anonymous Coward · · Score: 0

      FREE SHIT! CLICK HERE! still works even on gamers.

      And gardeners - my soil is so bad, I need as much free shit as I can get.

      My stinking zucchini just won't take off!

    4. Re:Morons. by Anonymous Coward · · Score: 2

      1) Not sure what being a gamer has to do with ones computer literacy in this day and age. It's not 1995 anymore. It doesn't take a CS degree to get an online game working.
      2) Who the fuck runs sandboxing software on their browser? Essentially no one.
      3) It gives the appearance of being a Java browser app. Unfortunately, people are used to sites running annoying unnecessary Java apps to do that do things that don't need a Java app to implement because of lazy/bad developers. Since this app gives the appearance of being run by someone on Twitch, which is already a venue for people doing stuff from their bedroom/living room and doing lower-than-shoestring-budget-level video production and graphics, using a shitty Java app to run a contest won't feel out of the norm. The real payload is downloaded and launched in the background by the Java app without the user realizing it. The real question is how the Java app is downloading and running a Windows executable without some kind of confirmation by the end user. I'm guessing that there is some kind of warning pop up that the user has to click through that isn't mentioned in the F-Secure article. Either that or there's a massive security hole in Java. Regardless, while it does likely require the user to make a series of bad decisions, it doesn't require any more extraordinary bad decisions than most typical malware would.
      4) CS:GO is fun. Liking a game you don't like isn't a sin. Grow up.
      5) By now, they likely have, but that's a temporary solution as the IRC bots can just keep changing the message text.

    5. Re:Morons. by Sigma+7 · · Score: 1

      1) gamers that don't run basic AV

      Basic AV = not automatically executing stuff.

      If you mean something like real-time protection from common AV packages, then those are technically reactive to threats and don't detect new things within the past ~24 hours or so.

      2) gamers that don't run sandboxing software over their browser (Sandboxie for example, shits TRIVIAL to use and is even foolproof!)

      Browsers should be self-sandboxing, which has been the case since the start of HTML, until someone foolishly added JavaScript/plugins. Those two shouldbe disabled by default, and in the event that JavaScript or plugins are required for a site, they can be made click-to-play.

      3) people DOWNLOADING programs for competitions...
      4) actually wanting to play CS Go. The worst sin of them all.

      No objection here.

      5) Twitch still hasn't word-banned people typing these messages and any variants. It's not like their servers would break, they already have filters in place.

      Word-banning is a clbuttic mistake.

    6. Re:Morons. by ArcadeMan · · Score: 1

      Click where? There's no link! I WANT FREE SHIT!

      --
      Get free satoshi (Bitcoin) and Dogecoins
    7. Re:Morons. by Anonymous Coward · · Score: 0

      DID SOMEONE SAY FREE SHIT? Fuck all, I can't click fast enough, someone tell me where to go!

    8. Re:Morons. by Anonymous Coward · · Score: 1

      2) gamers that don't run sandboxing software over their browser (Sandboxie for example, shits TRIVIAL to use and is even foolproof!)

      That is not how Sandboxie works by default. By default, Sandboxie prevents changes to files on the system itself, but allows sandboxed items to read everything. So things running inside the sandbox, including this malware, would be able to do everything the summary describes unhindered. And if you have the sandbox set to delete all its contents on a program closure (like your browser), you would not even know, or even have a trace, of what happened.

    9. Re:Morons. by Anonymous Coward · · Score: 0

      ... you would not even know, or even have a trace, of what happened.

      Other than noticing that your Steam account is borked.

  5. I knew it ! They were bots all along. by GuB-42 · · Score: 2

    How to trust a chat where strange black-and-white faces appear randomly ?
    And it it wasn't enough, there is even a special emote for FRAUD!, an obvious sign.

    1. Re:I knew it ! They were bots all along. by datavirtue · · Score: 1

      What's wrong with black faces!?

      --
      I object to power without constructive purpose. --Spock
    2. Re:I knew it ! They were bots all along. by Anonymous Coward · · Score: 0

      Nothing, as long as I'm armed.

    3. Re:I knew it ! They were bots all along. by Anonymous Coward · · Score: 0

      Grey Face (no space)

  6. looks like good old IRC by Anonymous Coward · · Score: 0

    twitch chat really looks on average like a unmoderated IRC channel. lots of douchebags and kids screaming at eachother
    and ofcourse spam bots.

    I learned a long time ago that clicking on unknown links in IRC chat spells doom for your system.

    I wonder how many of these twitch users going to learn that lesson now.

  7. So what is the attack vector? by Anonymous Coward · · Score: 0

    User execute suspicious code on own? Execute him too.

  8. Cool by aaaaaaargh! · · Score: 1

    Time to watch out on Steam for discounts, I guess ...

    Thanks for the info!

    1. Re:Cool by Anonymous Coward · · Score: 0

      That also explains why the slower to move stuff on the market are plummeting in price by leaps and bounds as of late, instead of more subtle dips.

  9. Java? by Anonymous Coward · · Score: 0

    Who the heck is crazy enough to enable Java in the browser these days?

    1. Re:Java? by ArcadeMan · · Score: 1

      Who the heck is crazy enough to have Adobe Reader, Flash, Java and Silverlight on their computer these days?

      FTFY

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Java? by UnknownSoldier · · Score: 1

      Anyone playing Minecraft ... :-/

      (I refuse to use Java due to far too many security issues.)

    3. Re:Java? by Anonymous Coward · · Score: 0

      And guess what, it is trivial to disable Java support for browsers while still being able to play Minecraft or use whatever other installed software you have that uses Java. Too bad that isn't the default.

    4. Re:Java? by Sigma+7 · · Score: 1

      And guess what, it is trivial to disable Java support for browsers

      Only if you know where to find the option.

      In Firefox Aurora version 34.0a2, I click the three lines button to get a menu, then click on options. None of the listed tabs lead towards disabling plugins, or making them manually activated by clicking.

      In general, if you have to look in more than one place to configure your software, it's not trivial even if it's easy.

    5. Re:Java? by UnknownSoldier · · Score: 1

      Minecraft is the only thing that needs Java.

      I'm not going to risk an entire computer for one game.

      Besides, I would rather spend time making my own game then playing other people's games. :-)

  10. Reverse the transactions by Anonymous Coward · · Score: 0

    If the items are stolen why not reverse the transactions, giving the items back to the person from whom they were stolen and refunding the purchaser's money.

  11. What platform is this on? by Edweirdo · · Score: 1

    Not that I don't just assume its Windows, as usual, but, it would have been nice to specify that this is only happening to people unfortunate enough to be running Windows. If it was happening to Mac users also, I would bet they'd mention that.
    Of course, I'm pretty sure I'm safe on my linux platform.

    --
    Life is too short and too important to { take seriously | use windows }.
    1. Re:What platform is this on? by 2fuf · · Score: 1

      Java is pretty platform independent actually

  12. News?? by Anonymous Coward · · Score: 0

    I've been seeing this story making the rounds on various tech news websites. How is this news? Twitch is one popular service amongst thousands that use chatrooms or forums in some way. How is posting obvious phishing/malware links important news all of a sudden? I'm sure this has been common practice for almost two decades. Why this emphasis on its presence on Twitch? I use CSGO Lounge to trade ultimately useless virtual items, and I get the odd phishing link every couple of days. It's not new, and I'm hardly going to call up the BBC about this revolutionary new scam.

  13. Reverse the transactions by Horn · · Score: 2

    Because Valve's customer service is pretty terrible once you get past the big picture items.

  14. here's an idea by steak · · Score: 1

    don't ever click on suspicious links ever!

    --
    lose != loose
  15. Empty Steam Wallet by giantism_strikes · · Score: 1

    Anyone know how this is being done? You can't send Steam Wallet funds from one account to the other.

    1. Re:Empty Steam Wallet by mattventura · · Score: 1

      One party probably lists an item on the market for the amount that they want to transfer, then the victim's hijacked account buys that item.

  16. market, wallet, what by dkman · · Score: 1

    Steam Community Market, Steam Wallet?
    I've been using Steam for a while, but I don't know how to look at either of these things. I guess I'll have to poke around when I get home.

    I just buy and play games. As far as I'm concerned it's a game launcher.

    I remember a lawsuit a while back about being able to resell games, but didn't realize there was a "marketplace" to do that within steam. I knew there were coupons or promo codes, but didn't realize there was a wallet.

    So I learned something new about a piece of software I use. Always cool.

    And what the hell is a twitch chat? Sounds like it should be a first person shooter thing.

    --
    I refuse to sign
    1. Re:market, wallet, what by Anonymous Coward · · Score: 0

      Steam Wallet is money on your Steam account (which you can never withdraw). If you only ever redeemed product codes or paid exact price for things, then it would be easy to never know about it.

      Steam Market is for buying and selling virtual items using Steam Wallet funds. No games or coupons can go on the market, nor can all virtual items (even in games that the market supports).

      Twitch chat I assume is the IRC-like chat that goes side-by-side streaming video of people playing a game over a popular streaming site of the same name.

  17. Because Slashdot people are that dumb? by Anonymous Coward · · Score: 0

    This is not facebook, we don't just randomly type our passwords everywhere