Steam phishing scheme steps up account jacking attempts with automation

The latest phishing scheme on Steam is attempting trick users into downloading malicious software that bypasses Valve's Steam Guard security feature, according to Malwarebytes Unpacked.

Steam Guard is two-factor authentication for Steam accounts. Valve launched the feature in 2011 and made it mandatory for all Steam Community trades by the end of 2012. It works by placing what's known as an "SSFN file" on computers that users have authorized with their Steam accounts. Steam checks for the SSFN file the next time around, and as long as it's there, the service knows that the user has previously logged in to their account using that device.

In April, Malwarebytes Unpacked reported on a Steam Guard-based phishing scam that got users to enter their login information on a fake website and then manually upload the SSFN file from their computer. Once the phishers had a Steam user's login details and SSFN file, they could get around Steam Guard and access the person's account.

The phishers must not have been satisfied with the return on that method, because they're now using a simpler strategy that more people may fall victim to. A private message is sent to advertise item trading with an apparently well-stocked Steam account, and the message includes a link to a fake login page. Once the user enters their details, the page asks them to download and run an additional piece of software to complete the login process.

According to Malwarebytes Unpacked, the software contacts a Russia-based website, then scans the person's computer for the SSFN file and uploads it to the phishing site. Together, that information is enough to hijack the account.

More from Polygon

German and Russian armor clash in Combat Mission: Red Thunder

  • Tour the 1 KB hard drive built inside Minecraft

  • Enemy Starfighter: Homeworld from inside a fighter

  • Call of Duty: Advanced Warfare gameplay trailer

  • Diablo 3 - Xbox One vs. PC comparison

Latest Discussions

Log In Sign Up

Log In Sign Up

Please choose a new Polygon username and password

As part of the new Polygon launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Polygon going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Polygon username and password

As part of the new Polygon launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Polygon going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.