New Steam Scam Promises a Free Game and Steals Users' Credentials

Most of you know very well that when you're offered something for nothing in the real world, you should be more than a little careful. Online, however, things are a bit different. Far too many people are used to the idea that even complex pieces of software like video games can (and should) be free. This sort of mentality is so deeply ingrained in the minds of users that some thirty years after the world wide web became a part of our everyday lives, the crooks continue to take advantage of it. A phishing attack analyzed by researchers from Malwarebytes illustrates the point rather well.

Phishers set their sights on gamers

This is certainly not the first phishing attack aimed at Steam users, and considering the fact that the gaming platform's 1 billionth account was recently set up, it's unlikely to be the last one. In addition to making promises that can't be fulfilled, the crooks also take advantage of the fact that when they receive a link from someone they know, people tend to trust it.

In March, the first victims received the phishing links via direct messages on Steam. To maximize the number of successfully phished login credentials, the crooks use the contacts lists of hijacked accounts to spread the nets further. The message looks like it's coming from a friend of yours who, as you might have guessed already, is telling you about a fun way of getting a new video game for free. The information is somewhat scarce. In fact, other than telling you that if you click a link, you can get "the game you want" for free, there's not much else.

If you do take the bait, your browser will first go through a redirector domain and will eventually land you on a scam page that entices you to "try your luck". There's a blue "Play" button which spins a virtual roulette wheel and tells you which game you've won. To claim your prize, however, you need to click a "Login via Steam" button and enter your username and password within the next half an hour.

The cybercriminals could have tried harder

The goal of any phishing page is to trick users into thinking that it's safe to give away their login credentials. It must be said that the page that is part of the campaign described above is not doing a very good job. When the researchers tested it, it opened both in a pop-up window and in a new tab, and the address bar remained blank. This could raise suspicion among some people, and the fact that most of the menus and links don't work can make users even more uncomfortable.

Nevertheless, the mere fact that the campaign has been going strong for more than three months now shows that some victims have overlooked all these details. Try not to make the same mistake, and if you're on a tight gaming budget, wait for Steam's official sales. You won't get any free games, but you could still strike a decent deal, and as an added bonus, you won't be giving your login credentials to the crooks.