A Phishing Attack Through Steam

Summary

Someone attempted to phish my Steam account credentials by sending me a cloned version of its legitimate website and requesting a quick favor. However, I recognized their intentions and decided to turn the tables by investigating their operation and uncovering their tactics and location.

Initial Encounter and Red Flags

I was logged into Steam and playing one of my favorite video games when I received a friend request from a stranger. I accepted the request 🤠 and here’s how our conversation began:

Beginning of the phishing attack and contextualization

Up to this point, everything seemed legitimate, just a gamer stranger asking another gamer stranger, to vote for their creative endeavor.

Explaning in detail the steps required to fall into their trap

When I first received the image, I thought to myself Wow, they must've done this so many times, some people didn’t know how to vote, so they had to highlight it in an image.

I copied the link, opened a private browser, and pasted it.

"Steam" website

At first glance, and for someone who doesn’t interact with Steam interfaces very often, this might not raise any suspicions. However, for someone like me, the URL (https://steam.communityusersart.com/filedetails/sharedfiles/id=418496547/) immediately raised red flags.

The domain itself, communityusersart.com, has nothing to do with Steam. That alone was suspicious. To confirm, I Googled the domain name and found no relevant results, which is highly unusual for a company as big as Steam.

Analyzing the Suspicious Website

At this point, I was 100% certain I was being targeted by a phishing attack. Clicking on Vote as requested, prompted me to either Sign In or Cancel.

Fake prompt

Compared to the real Steam website, when you click Vote you're prompted to either Sign In, create an account, or cancel.

Real prompt

Also, notice that the real website is in French, which matches my browser's language.

Additionally, on the fake website, the browser console, debugger and network are completely disabled.

Debugging is disabled to prevent reverse engineering and requests/code inspection

That being said, I’m impressed by the technique used when I clicked the Sign In button.

Window within a window - windowception type shit

What you see above is a JavaScript window created within the fake website itself, not a separate browser window. I can’t drag it out of the website, it’s confined to the page.

Next, I ran a Whois lookup on the domain to gather more information about the people behind it, including the country, registration dates, and other details.

whois command output from whoxy.com

The domain name is very new, having been registered on December 9th, 2024, and the registrant is based in Mauritania.

Establishing Trust and Empathy

Next, the threat actor moved to the next stage: establishing trust and empathy. They built a story to make the operation appear more legitimate, aiming to eliminate any doubts or suspicions.

Threat actor attempting to establish trust and empathy

After discovering that the registrant is from Mauritania, I wanted to verify that the person I was talking to was also from Mauritania. So, I moved on to the next stage: hacking the hacker.

Hacking the Hacker

I made sure to take a screenshot of an unexpected behavior from the threat actor's own website.

A Loading QR Code

I then uploaded the screenshot to Imgur, used that link to create a new Grabify session, and finally shortened the Grabify link using Bit.ly. This is the final result:

Threat Actor Urgency + Grabify link

This actually worked great, there's complete abstraction of the Grabify link.

Also, notice how the threat actor has moved to their next stage: closing the deal through urgency and pressure.

Now, all I have to do is wait for the phisher to get phished.

And voila!

IP Address originating from the US and Steam HTTP Client user-agent?

Operational Security

So, at this point I’m somewhat certain that they’re using a VPN because the logs show that the IP originates from the US, while the domain name registrant is from Mauritania.

On top of that, the threat actor's English is quite limited, and when I pushed them to communicate outside their script, they either didn’t reply or made mistakes. It's also worth mentioning that the scammer's Steam profile claims they’re from the US, but this could be part of their OpSec.

What I should have done was enable the Smart Logger feature in Grabify, which also provides their timezone, this would have been the key piece of information to confirm everything. However, this can be spoofed also.

I enabled it and attempted to pressure them into clicking the link again. More on that later.

All the online proxy-checking tools I tried indicate that this IP isn't a VPN, but I am still uncertain about this matter and the origin of this IP.

Domain Switch and Website Shutdown

As I’m writing this article, I attempted to access other subfolders and start digging into its requests, but to my surprise, the website is down, only an hour after it all occured. So, I tried pinging the domain to perform a DNS resolution and get the server's IP address: 185.100.157.50. I then input the IP into Shodan for quick results.

Shodan.io output

This is very strange, the domain name is different now. It was previously communityuserart.com, and now it's communitystudionsart.com.

Looking at its whois information on Whoxy, I discovered that it was registered on the same date as the other domain, and the registrant is also based in Mauritania.

9th December 2024, again
Mauritania, again

Visiting the new website prompts a navigator alert warning me that it's a malicious and spam website.

My humble guess is that this is a fairly new operation. They currently have a single server but are actively rotating between multiple domain names.

Back From The Grave

So remember how I told you I activated Smart Logger and tried to pressure the scammer into clicking it again? Well, they didn’t.

BUT, two days later, they messaged me back, and of course, my next goal is still the same: get them to click the link.

Your dead shall live, their bodies shall rise

And to my surprise, they clicked on the link again! not suspecting a thing?

New IP and no Timezone information

For some reason, it doesn't show the information that Smart Logger typically provides, such as the timezone (even though I made sure it's enabled and functioning).

More importantly, the IP address changed, but it's still originating from the US. Along with the absence of timezone information, I began to suspect that the scammer might not have actually clicked the link. Instead, it could be the Steam client sending a GET request to fetch the website's metadata to display it nicely to the end-user.

Unfortunately, I later confirmed this by sending the link to a friend and asking them not to click on it. Sure enough, a different IP from the US appeared, using the same ISP and the same user agent.

But this isn’t over just yet. Look at this.

A new domain name has emerged

A new domain name! communityuserworks.com was also registered on December 9th, and the registrant is, once again, from Mauritania.

Conclusion

Researching this attack has been fascinating. I'm impressed by both their caution in avoiding the link and the sophistication of the Steam clone. However, it's troubling to realize that this is part of an ongoing operation involving multiple pre-registered domain names. So far, only one of the three domains has been flagged by my browser as fraudulent, meaning many people could still fall victim to this attack.

Finally, so I can sleep well, I reported the two unflagged domain names as fraudulent and reported the Steam user for scamming. Safe browsing everybody.

つづく

PreviousThe Dangers of Default SSH ConfigurationsNextAn Unsecure Chat Application

Last updated

Was this helpful?