steam
  • Another phishing campaign for Steam is underway, using a skin gambling platform as a lure.
  • The scammers are loading a spoofed iframe on the site, making it look like a Chrome window.
  • There are some signs of forgery here and there, but the scam is good enough to deceive large numbers of CS:GO players.

Steam phishing is an ongoing and non-subsiding phenomenon that targets the accounts of players of popular games. The main goal for the threat actors is to steal the credentials and then sell the accounts to others. In many cases, they first empty the stolen accounts by selling whatever valuable “collectible” items the victim possesses. In order to lure the players into giving away their details, actors have to use something as a bait. We’ve seen them promising free games, in-game currency, or valuable items. In the most recent case uncovered by Sucuri, the phishing scammers are using a CS:GO gambling platform where players can supposedly win items.

Set up on the “csgo500[.]org” domain, which was registered in March, the platform is imitating the “csgo500[.]com,” which is a legitimate skin gambling site. Contrary to that one, though, the phishing site won’t geo-block visitors that come from countries where online gambling is prohibited by law. At the time of writing this, the scammer’s domain is still up and running, but most browsers will identify the threat and warn you about it when you try to visit.

steam_phishing_skin_gambling
Source: Sucuri Blog

To “gamble,” the victim is urged to log in to their Steam account to fund their other account and start betting. As shown in the image above, taken from the actual gambling platform, there’s something that resembles a wheel of fortune that will let the player win two, three, five, or fifty times what they placed as a bet. The login page is spawned via an iframe that’s made to look like a new browser session, but it’s really happening on the phishing website. The credentials are intercepted by the malicious platform via a POST request and are then sent to the Steam back-end so that the user can actually login to their account.

steam_phishing_behavior
Source: Sucuri Blog

A sign that would reveal the fraudulent nature of the particular CS:GO skin gambling website is that the Steam login iframe that loads on it is always a spoofed Chrome window, so if you’re using a different browser, this won’t make any sense. Moreover, the user can’t click on the address bar or the SSL bar (to check the certificates), so this is another sign that you’re dealing with an abnormal browser window. In general, we would advise you to stay away from skin gambling platforms, as the majority are phishing lures. If you insist on doing so, at least make sure that you are redirected straight to the Steam website when you need to authenticate.