Bots, Phishing, Malware: How Hackers Target Steam Users

Wherever there is a victim to be scammed, a service to be hijacked, or an item to be stolen, there will be people ready to make a profit. In the world of gaming, the stakes are higher than ever: in-game items can now fetch thousands of dollars on marketplaces, making users' accounts a lucrative target for hackers.

Earlier this week it was revealed that a bug in the Steam gaming platform allowed attackers to break into users' accounts through a weak password reset system. But the history of targeting Steam users goes back long before the latest vulnerability and continues to get more sophisticated, as an upcoming talk at the hacker conference Defcon will set out to demonstrate.

Steam, a service launched by Valve Corporation in 2003, acts as a hub for people to download games and socialise with friends. When users purchase games through the software, these are linked to their account. This means that if the user buys a new PC, all they need to do is download their collection again.

In the early days, a Steam account's value to hackers was typically based on how many games it had or the length of Steam ID associated with it (a unique set of digits that indicates when the account was made).

"The lower the ID, the more your account was worth to the community," Zack Allen, lead research engineer at security company ZeroFox said. Allen will be presenting on malware targeting Steam users at Defcon in August, along with information security engineer Rusty Bower.

One hacking tutorial I found that was apparently written in 2006 sketches out how to take over Steam accounts using a variety of established methods, including stealing a user's credentials with a fake log-in page.

But things started to ramp up when real money got involved. "The biggest change that happened was the introduction of a trading platform around 2009," Bower told said over encrypted chat.

Many games on Steam allow players to purchase additional items. These items are purely for decoration, and don't affect game play. Regardless, people still trade them for cash on dedicated sites.

"With the introduction of cosmetic items (which for some insane reason can be worth thousands of dollars) and the market for users to trade, there is now finally a juicy target for attackers to look at," Bower continued. "Stealing someone's account no longer means that you just have access to their games: it means you have access to potentially thousands of dollars of their inventory."

Allen recently conducted a survey of around 1,100 people in subreddits dedicated to various Steam games, and found that the average value of a user's collection of items is over $1,000.

When the researchers started gathering samples in 2014, they noticed a new level of professionalism in attempts to hack Steam accounts. Allen said that hackers were setting up malicious websites to automatically download malware onto targets' computers, using armies of bots to send friend requests to victims en masse in the hope of enticing them into clicking on dodgy links, and even employing viruses disguised in legitimate installations of voice communication tools.

One particular piece of malware that Allen pointed out was the "Steam File Stealer Extreme" (SFSE). Available on its own slick website, it costs around $40 and allows an attacker to automatically determine the value of a target's inventory and run a keylogger, which could make a record of the target's passwords.

There's also crossover between more traditional digital fraud and the targeting of Steam users. Allen explained that some scammers purchase wads of stolen credit card details to then buy items. Once the transaction is reported as fraudulent by the card owner, the charges are canceled, and the person selling the wares is left out of pocket.

Valve has taken a number of steps to curb malicious activity, the researchers said. For example, the company introduced Steam Guard, a two-factor authentication system, and sometimes enforces "trade bans," whereby the movement of items is halted if suspicious activity is detected on an account. Valve has not yet responded to requests for comment.

As for the future, it looks like this space is only going to become more profitable for hackers. At the moment, the prize pool for an upcoming Valve game e-sports tournament stands at over $17 million dollars, the vast majority of which was funded by players spending money on in-game items. With more games, higher rewards, and more avenues for attack, hackers have plenty of reasons to continue targeting Steam users.