- Jan 24, 2011
- 9,378
I was digging through some recent Steam related phish pages, and came across something I haven’t seen before: a new way to steal Steam accounts while bypassing an additional security measure.
Typically a Steam phish page asks for username and password, like all phish attacks – often these can be foiled by enabling Steam Guard on your account.
What is Steam Guard?
When logging in on a PC you haven’t used before, Steam Guard will pop a window asking for a verification code which will have been sent to your email address. Without the code, you can’t log in. Scammers have come up with a somewhat novel way to try and get around this security measure.
How do they do it?
A potential victim will navigate to the phish page and enter their Username and Password.
At this point, they’ll be greeted with the following pop-up box:
Looking very similar to the usual Steam Guard pop-up box, it says:
We see you’re logging in to Steam from a new browser or a new computer. Or maybe it’s just been a while…
As an added account security measure, you’ll need to grant access to this browser by uploading the special ssfn* file from your Steam folder…
Ssfn* file contains your ID number and located in a directory Steam folder
(…/Program Files/Steam/ssfn* )
Sending this file to the scammer allows them to place it into their Steam directory and login as the victim while avoiding the Steam Guard security prompt asking for a verification code sent to the email address on file.
What is the SSFN File?
The SSFN file is the one that stops you from having to verify your identity through Steam Guard every time you login to Steam on your PC. If I delete mine, for example, I’ll have to go to my email account and dig out a brand new verification code sent to me from Steam.
After I’ve done this and entered the code, a brand new SSFN file is created in the Steam folder and I’m back to being protected by an additional layer of security. Here’s the file in question:
Testing, Testing…
We did some testing and can confirm that this technique – asking a victim to send their SSFN file to the scammer – does indeed work. In the below screenshot, we’re attempting to login to a Steam Guard protected account from a new machine / IP / location / everything else:
Typically a Steam phish page asks for username and password, like all phish attacks – often these can be foiled by enabling Steam Guard on your account.
What is Steam Guard?
When logging in on a PC you haven’t used before, Steam Guard will pop a window asking for a verification code which will have been sent to your email address. Without the code, you can’t log in. Scammers have come up with a somewhat novel way to try and get around this security measure.
How do they do it?
A potential victim will navigate to the phish page and enter their Username and Password.
At this point, they’ll be greeted with the following pop-up box:
Looking very similar to the usual Steam Guard pop-up box, it says:
We see you’re logging in to Steam from a new browser or a new computer. Or maybe it’s just been a while…
As an added account security measure, you’ll need to grant access to this browser by uploading the special ssfn* file from your Steam folder…
Ssfn* file contains your ID number and located in a directory Steam folder
(…/Program Files/Steam/ssfn* )
Sending this file to the scammer allows them to place it into their Steam directory and login as the victim while avoiding the Steam Guard security prompt asking for a verification code sent to the email address on file.
What is the SSFN File?
The SSFN file is the one that stops you from having to verify your identity through Steam Guard every time you login to Steam on your PC. If I delete mine, for example, I’ll have to go to my email account and dig out a brand new verification code sent to me from Steam.
After I’ve done this and entered the code, a brand new SSFN file is created in the Steam folder and I’m back to being protected by an additional layer of security. Here’s the file in question:
Testing, Testing…
We did some testing and can confirm that this technique – asking a victim to send their SSFN file to the scammer – does indeed work. In the below screenshot, we’re attempting to login to a Steam Guard protected account from a new machine / IP / location / everything else:
“Hello! We see you’re logging in from a new computer. As an additional security measure, you’ll need to grant access to this computer by entering the special code we’ve just sent to your email address”
At this point, the scammer would be foiled unless they also have access to the victim’s email account. However, let’s assume the victim here has sent their SSFN file via a phishing page. From there, we take the victim’s SSFN file, drop it into the Steam directory on the scammer’s computer, try to login again and…
Success! We’re in.
Read more: http://blog.malwarebytes.org/fraud-scam/2014/04/phishers-bypass-steam-guard-protection/
At this point, the scammer would be foiled unless they also have access to the victim’s email account. However, let’s assume the victim here has sent their SSFN file via a phishing page. From there, we take the victim’s SSFN file, drop it into the Steam directory on the scammer’s computer, try to login again and…
Success! We’re in.
Read more: http://blog.malwarebytes.org/fraud-scam/2014/04/phishers-bypass-steam-guard-protection/
