The popular PC gaming platform known as Steam, has been a constant target to hackers and malicious attacks. Many players use steam guard to protect their accounts from unauthorized access. But what if hackers could indirectly hijack your account, and make their computer appear as yours and completely circumvent steam guard?
Steam, the PC gaming program is a large community of online computer gamers. It is one if not the most popular systems for gamers to connect, buy games, and play online with friends. With something the size of steam, obviously hackers will target users with phising campaigns, viruses, among numerous other attack methods. While those methods are popular and steal a large chunk of accounts, Steam implemented a form of two-step verification. The two-step verification method is known as Steam Guard, steam guard will ask users logging in from unknown locations and/or new computers to verify their account with a small code sent to their email. Once input, steam is unlocked and allows gamers to continue to play their games. This method of authentication has crippled hackers ability to steal accounts at large scale.
While steam guard is begin used by a large number of gamers, hackers have launched a new phishing campaign targeting Steam Guarded accounts. The new phish will start with the general enter your steam Username and Password. Once entered the average looking steam guard pop-up box appears. Wait… that’s not the average steam guard popup.
This pop-up is not asking for the steam guard token, this reads,
We see you’re logging in to Steam from a new browser or a new computer. Or maybe it’s just been a while…
As an added account security measure, you’ll need to grant access to this browser by uploading the special ssfn* file from your Steam folder…
Ssfn* file contains your ID number and located in a directory Steam folder
(…/Program Files/Steam/ssfn* )
This is asking for your personal SSFN file located in your steam directory. In short, sending the SSFN key to the attacker will allow them to upload the file into their Steam directory, and steal the steam account while bypassing Steam Guard authentication.
What is the SSFN file?
The SSFN file located in users local steam directory, is one that stops users from having to verify their identity through steam guard every login, on that particular PC. If a steam guard protected account deletes the SSFN file in the steam directory, the user will have to re-verify that computer with steam guard. Once re-verified the SSFN file will be created and stored in the local steam directory.
Security researchers at Malwarbytes tested if attackers could abuse the SSFN file to bypass Steam Guard. While extracting the SSFN file and uploading it to an external computer in new location, IP, machine, and everything else, sure enough Steam Guard was bypassed. It works by the attacker continuing to login with the phished steam credentials, and the attacker will still be met with the steam guard protection, once the attacker see’s this screen they just upload the SSFN file into the directory, and steam guard recognizes it as authentication.
Once in, the attacker could sell valuable in-game items. This would allow the hacker to steal special items, hijack users games, amongst other actions. Once in the account the attacker can see the victim’s purchase history, change current email addresses, current Steam password, disable Steam Guard, change the profile name, and update the stored payment method (if any). Luckily attackers cannot make any purchases through the comprised steam account.
Steam is aware of the issue, and does not seem to have any fixes at the moment. Some users were actually abusing the SSFN method for legitimate use. Steam has restriction limits on what users can do on newly authenticated computers, and if users switched computers and used the SSFN method, the users could continue on the new computer as if it was still the old one.
Steam Guard is a great feature to protect accounts as it only asks users to verify their identity on new computers, or from fishy login methods. Once in, Steam will not ask again unless locations or computers are switched. For Steam to fix such issue, Malwarebytes notes they may have to implement less attractive and naggy verification methods.
- http://blog.malwarebytes.org/fraud-scam/2014/04/phishers-bypass-steam-guard-protection/ – Includes Steam threads and support ticket proof