Phishing with zombies

As online gaming focuses more and more on social networking, the same kind of phishing we see on sites like Facebook and MySpace become more and more common on gaming networks — particularly those where ownership of games is tied to accounts.

This morning I received a pretty suspect message from someone on Valve’s Steam network asking me if I was interested in addons for their new zombie shooter Left 4 Dead. Steam is both a gaming community and a content distribution method for online and single player games. Individual games are bought by users and tied to their Steam accounts, allowing them to download and play anything they’ve purchased on that account — something that makes them quite attractive to phishers.

The link in this phishing message doesn’t go directly to the attacker’s site. Instead, he has created a Steam community group so that the link he spams out in chat doesn’t look quite so suspicious. The page for the community group he links to is sparse, but suspicious only in that it has one member who is the user sending the chat messages.
Steam groups can have web links on their pages; in this case, the text of the link makes it appear to point to page on Valve’s own website, steampowered.com. In fact, it goes to the phisher’s website hosted on a free web host. If the link is followed, the phisher’s website presents the victim with a mockup of the Steam community login page.
This is a pretty accurate replica: there is a giveaway in a link to the free web host added at the bottom of the page (not pictured) but aside from that it’s almost identical. Entering username and password details here sends them to a PHP script on the phisher’s site and dumps the victim to the legitimate page for the Steam store — probably alerting them to the fact that something is wrong, since the phish was advertised as addons for an existing game.
Since these screenshots were taken, Valve appear to have responded by taking down the Steam community group used by the phisher. I’m glad to say that the Sophos Web Appliance already blocks the phishing website, protecting our users against this particular attempt to steal their Steam account and games.