Why Valve’s Steam has its own brand of Malware

Computer games are a huge business, generating over a $100 billion in annual revenues. Most of this revenue is generated through online distribution and sales and the biggest provider here is Valve Corporation’s Steam platform. There are over 7,500 game titles available on the Steam platform with some 125 million active users.

Steam’s popularity has consequently led to the service being attacked by hackers. Account hijacking is an obvious problem for a gaming platform, with players wanting to get access to other players credentials. With time the monetary value of Steam-based virtual goods increased, after introducing Steam Trading the number of hijacked accounts skyrocketed, attracting hackers who are out for a fast buck. Hijackers can use the platform’s trading features to make money out of a user’s inventory. Valve reported that in 2015 around 77,000 accounts were hijacked every month.

Steam is well aware of this problem and did compensate affected users but, as they mention themselves, it is not the ideal solution:

Once an account was compromised, the items would be quickly cleaned out. They’d then be traded again and again, eventually being sold to an innocent user. Looking at their account activity, it wasn’t too hard to figure out what happened, but undoing it was harder because we don’t want to take things away from innocent users. We decided to err on the side of protecting them: we left the stolen goods, and we created duplicates on the original compromised account to replace them. We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence.

A new Kapersky Lab report takes a closer look at Steam’s problem. Apparently Steam credentials are cheap to have, rights for a credential stealer start at $3 and for an extra $7 you get the source code and a user manual. The complete process is well documented opening the door for newbies and “script-kiddies” to take a shot at hacking.

Even though phishing and spear-phishing attacks are always popular among the most active social engineers in the dark corners of the Internet, a new breed of malware, known innocently as a “Steam Stealer” is the prime suspect in the pilfering of numerous user accounts from Valve’s flagship platform. Evolving bit-by-bit from a leaked source on a remote Russian forum, stealers took off once they were proven to be extremely profitable by criminals all around the globe. Available for sale in different versions, with distinct features, free upgrades, user manuals, custom advice for their distribution, and more, stealers have turned the threat landscape for the entertainment ecosystem into a devil’s playground.

With over 12 million concurrent users, Steam is attracting the attention of better organized and professional hacking gangs. The sheer number of accounts and the simplicity of cracking them has made it financially attractive for hackers to spend more time and energy on the Stream platform.

At the end of the report, Kapersky gives Steam users the following advice:

In terms of preventive measures, we recommend users familiarize themselves with Steam’s updates and new security features, and enable two-factor authentication via Steam Guard as a bare minimum. Bear in mind that propagation is mainly (but not solely) done either via fake cloned websites distributing the malware, or through a social engineering approach with direct messages to the victim. Always have your security solution up to date and never disable it; most products nowadays have a “gaming mode” which will let you enjoy your games without getting any notifications until you are done playing. We have listed all the options Steam offers users to protect their accounts. Remember that cybercriminals aim for numbers and if it’s too much trouble they’ll move on to the next target. Follow these simple recommendations and you will avoid becoming the low hanging fruit.

Stay safe.