We’ve seen Esports occasionally become the focus of gaming or Steam scams. One particular tactic of note was to claim joining an official league is an easy process. Links to third-party hosted files would offer up a supposedly cracked ESEA Esports league client. In reality, it was a data stealing Trojan.
One current twist on Esports where Steam scams are concerned is the “vote for my team” fakeout.
Crying foul on bogus voting
This trick has been around for a while now, but shows no signs of going away. As some have noticed, it is indeed “flaring up again”. The scam routinely separates unwary gamers from their logins. It’s also used to spam people from compromised accounts. On top of all that, the social pressure of “Please help me out” is often too good to let go.
An additional headache here is that people change usernames on Steam all the time. As a result, some people assume the message sender is actually a friend and not a stranger. This makes it even more likely they’ll feel obliged to assist.
People want to be helpful, and this slice of social engineering takes full advantage of this.
How does it work?
A Steam user receives an unsolicited message from a stranger. It may be sent via Steam’s own messenger service, or it could be in a Steam-themed Discord channel. The scammer presents the “offer” as a way to help a fellow Steam enthusiast out, or tie it to fictional rewards if the message recipient takes part. The message may also be sent in a different language. Some scammers simply won’t care about this, on the basis they can just send it to a seemingly never-ending pool of other recipients.
After some small talk, the scammer will ask the message recipient if they want to join their Esports team. More likely, they’ll ask them to vote for their team in an upcoming competition, or do some form of nomination to take part.
Clicking into the site and hitting the specified team vote button will typically open up a phishing page or window. If the intended victim uses some form of account protection such as Steam Guard, they’ll be asked to switch it off. Once this is all done and dusted, the account is officially phished and at the mercy of the phisher(s).
What’s the impact from being phished in this manner?
We’ve touched on a few of the impacts, but they include:
- Spamming your friends. Not great, and they’ll likely unfriend you once they see suspicious messages rolling in.
- Losing your digital items. Hard-earned items will vanish, after being sent to other accounts. If you paid real money for those items then they’re at risk too. The scammer may even just choose to sell the entire account in one go. If you used money in your Steam wallet to purchase a valuable item, both money and item may be lost.
- Loss of access. Perhaps an obvious one, but you probably don’t need the hassle of trying to get through to customer support when the pandemic continues to cause significant delays on, well, everything.
Protecting your Steam account from esports voting scams
You’ll probably be familiar with some of these Steam security suggestions:
- Add additional protection to the email account tied to Steam. If 2FA style safeguards are available, be sure to use them. If you have a second, backup email account tied to the primary account, then make sure that’s locked down too.
- Enable Steam Guard. It’ll mean the scammers have to work harder to access your account. While it won’t tip everyone off, having to awkwardly ask you for your 2FA code may be enough to set alarm bells ringing.
- Unsure if an account is one of your friends sporting a new username? Hover over the username of the person messaging you on their profile. It’ll reveal a list of all the old names they’ve gone by. If you’re unable to view their profile at all, add that to the “probably suspicious” pile.
- Never, ever log into anything related to Steam via messages from friends or strangers. Even if you know the person sending the message, it’s possible they’ve been compromised and are being used to send more spam.
The post Fake Esports voting sites looking to phish Steam users appeared first on Malwarebytes Labs.