Malware Distributed Through Twitch Chat Is Hijacking Steam Accounts

An anonymous reader writes If you use Twitch don't click on any suspicious links in the video streaming platform's chat feature. Twitch Support's official Twitter account issued a security warning telling users not to click the "csgoprize" link in chat. According to f-secure, the link leads to a Java program that asks for your name and email. If you provide the info it will install a file on your computer that's able to take out any money you have in your Steam wallet, as well as sell or trade items in your inventory. "This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry," says F-Secure. "It even dumps your items for a discount in the Steam Community Market. Previous variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster."

Slashvertisement

Steam extended summer sale extrazaganza 35% off select games now!

I do not understand

[Taco+Cowboy]

If someone wants me to type in my account and then my password I won't

I really won't

Common sense tells me that no one has any right to demand me to type in my account name/number and then my password

That is why I do not understand why there _are_ people who are simply void of any common sense

Ain't there enough stories of scams already? Why can't those people learn _anything_ from the mistakes of others?

Re:I do not understand

[TheRealQuestor]

If someone wants me to type in my account and then my password I won't

I really won't

Common sense tells me that no one has any right to demand me to type in my account name/number and then my password

That is why I do not understand why there _are_ people who are simply void of any common sense

Ain't there enough stories of scams already? Why can't those people learn _anything_ from the mistakes of others?

Except in this case it does not. It asks for your name and email. Nowhere does it say anything about a password.

Re:I do not understand

[Nyder]

If someone wants me to type in my account and then my password I won't

I really won't

Common sense tells me that no one has any right to demand me to type in my account name/number and then my password

That is why I do not understand why there _are_ people who are simply void of any common sense

Ain't there enough stories of scams already? Why can't those people learn _anything_ from the mistakes of others?

No where do they say they are asking for the steam account info. Fake raffle wants a username/email & password to sign up, then it installs a program that access your steam stuff. most people on their home computer either have steam running all the time and are logged in, or auto log in.

I do don't do twitch.tv and I don't bother signing up for online raffles or anything claiming i will win something, because that is stupid.

But yes, giving your account info out is very dumb, but I don't think that is the case here from the summary & article.

Re:I do not understand

[mwvdlee]

Why would it be a raffle or some other semi-sleazy subject?

Asking for a username and email is standard practice for pretty much any kind of website signup.

If I were into gaming enough to watch somebody else play a specific game on Twitch and somebody posted a link to a legit-looking site claiming to provide me a valuable service for that specific game, I might well be fooled.

I knew it ! They were bots all along.

[GuB-42]

How to trust a chat where strange black-and-white faces appear randomly ?
And it it wasn't enough, there is even a special emote for FRAUD!, an obvious sign.

Re:Morons.

FREE SHIT! CLICK HERE! still works even on gamers.

and the bar for 'gamer' is really really low these days anyway.

Re:Morons.

1) Not sure what being a gamer has to do with ones computer literacy in this day and age. It's not 1995 anymore. It doesn't take a CS degree to get an online game working.
2) Who the fuck runs sandboxing software on their browser? Essentially no one.
3) It gives the appearance of being a Java browser app. Unfortunately, people are used to sites running annoying unnecessary Java apps to do that do things that don't need a Java app to implement because of lazy/bad developers. Since this app gives the appearance of being run by someone on Twitch, which is already a venue for people doing stuff from their bedroom/living room and doing lower-than-shoestring-budget-level video production and graphics, using a shitty Java app to run a contest won't feel out of the norm. The real payload is downloaded and launched in the background by the Java app without the user realizing it. The real question is how the Java app is downloading and running a Windows executable without some kind of confirmation by the end user. I'm guessing that there is some kind of warning pop up that the user has to click through that isn't mentioned in the F-Secure article. Either that or there's a massive security hole in Java. Regardless, while it does likely require the user to make a series of bad decisions, it doesn't require any more extraordinary bad decisions than most typical malware would.
4) CS:GO is fun. Liking a game you don't like isn't a sin. Grow up.
5) By now, they likely have, but that's a temporary solution as the IRC bots can just keep changing the message text.

Reverse the transactions

[Horn]

Because Valve's customer service is pretty terrible once you get past the big picture items.