Reading Time: 6 minutes
Contributors: Ionel Pomana, Kevin Judge
Video games have played an important role in the history of computers and are a significant reason for their popularity as a consumer product. Families had video game players in their homes long before they had personal computers. The ability to provide web sites that more closely replicate the experience of standalone software has improved dramatically in recent years, so it is no surprise that online gaming web sites have also boomed.
According to ebizmba.com, the top gaming web site is ign.com with an astounding 20 million monthly visitors. In fact, all the sites on their top 15 list exceed 1.5 million visitors per month. It is also no surprise that criminal hackers are attempting to exploit their popularity for nefarious schemes.
Major targets of such schemes are games that are delivered through Steam, a popular game delivery platform. These games can be played offline or online, with or against other human players. Unfortunately, online players may also have the company of “players” that they are not aware of: criminal phishers and malware writers.
Some games have so-called “in-game items” which players use to improve the gaming experience. These items are purchased during the game with real money and their price can vary from a few cents to several hundred dollars. Players use them in the game, exchange them for other items or sell them to other players in a “Community Market”.
This means a gamers account can be a rich prize if compromised by fraudsters.
Malware that attempts to compromise gaming accounts are not something new, but Comodo Antivirus Labs has identified a new approach that criminals are using to hijack the accounts of Steam delivered games. This article and the following information are provided to make gamers aware of such threats and hopefully avoid them.
The Phishing Message
It all starts with a message received from an unknown individual via the game’s messaging system. The user is asked, for various reasons, to follow a hyperlink.
The primary goal of the hacker is to obtain the player’s online gaming credentials.
The hyperlink takes the user to a site that resembles a legitimate website, but in fact is a phishing page designed by the hackers. In our case, the linked domain name is very similar to a legitimate third party site for trading game items, but with just two letters changed in domain name.
The user can easily mistake it for the well known legitimate site.
The Phishing Sites
Once the link is opened, it displays a copy of the legitimate trading site with a very attractive and profitable trade offer. Refer to the screen print below:
On the legitimate trade website, a trade offer can be responded to by signing in with your game account using the OpenID protocol. When a user wants to sign in, he’s redirected to the game’s vendor website, where he logs in and confirms that he wants to login on the third-party website as well.
He is then redirected back to trading website where he is now logged in and can initiate or respond to any trade he wants. However, on the phishing website the situation is a bit different.
Once the gamer hits the sign in button, he’s not redirected to game vendor’s website, but to a page very similar to the vendor’s one on the same domain, where the user is asked to enter his account credentials.
A clue that this is not a legitimate site is that SSL is not enable. Any time you are at a web site that asks you to enter personal information, don’t do it unless you have confirmed that the address line says “https” instead of just “http” and that a lock icon displays. Every legitimate online business enables SSL because it protects its users with secured communication.
In this case, when the user and password data are submitted, no login action is performed. Instead the submitted credentials are sent to the criminals who crafted the phishing website.
Phase II of the Scam
Many similar phishing scams, such as for bank users, would stop here with the theft of the user login credentials. Unfortunately, this scam goes the extra mile.
After credentials are submitted and stolen, a pop-up informs the user that a “game guard” needs to be enabled on the computer system in order to be able to login. The real “Steam Guard” is a set of security measures (including two-factor authentication) put in place by the game vendor to prevent account takeovers and credentials theft.
In this case the criminals are luring the user into running a malicious application, named “Steam Activation Application.exe”. The phishing website will download it as soon as the pop-up is displayed.
As seen below, the malicious application is not hosted on the respective domain, but on Google Drive.
When it is run, the application reads from registry key the path where Steam client is located.
After reading the location, it starts searching for all files whose name begins with the string “ssfn”.
When a file that starts with “ssfn” is found, the content is read and the binary data is converted into memory in a plain text hexadecimal representation.
This is done to allow the trojan application to steal the file by sending it via a POST method to the web server located at 188.8.131.52.
If the send was successful, the application displays a message stating “You now have access to your Steam account from this computer!”, otherwise it displays a message that an error has occurred:
An error occurred while activating account (disk read error)
After displaying a success or error message, the trojan executes cmd.exe with “del” parameter to delete itself. This way it’s trying to remove its traces from the system so the user does not suspect any questionable activity.
What’s the purpose of stealing “ssfn*” files?
These files contain Steam account data and two-factor authentication data. When the file is put into Steam’s folder on another system, two-factor authentication token will not be required anymore, any individual using the respective file will have access to the account from file with full access.
In this way, the games can be accessed and played, the in-game items (some which can be very expensive) stolen or traded for casj, transaction history viewed or even the account login details and email address can be changed so the initial owner won’t be able to use the account anymore or even recover it.
How to prevent such account takeovers
The following advice applies to this scam, but also most variations of phishing scams:
- Vigilance is the best defense:
Do not click on any links received from strangers or even suspicious links from friends who might be victims of hijackers. Make sure any login process you perform is made on SSL-enabled websites via https protocol, websites which proves their identity in this manner. Double-check domain names for any suspicious mismatch.
- Use a secure DNS service:
Any system should be using a secure DNS service such as Comodo Secure DNS that will warn you in case of phishing attempts.
- Use a robust security suite with a Firewall and advanced malware protection:
Make sure you have installed Comodo Internet Security in order to be protected from malware that might reach your system.
The past six months has proven that the threat landscape has changed forever. Threat intelligence is one of those posture-forward initiatives. Our upcoming Year-End Report will shed light on the fact that it is a growing focus for the community. In concert with that growing focus, we asked a few of our close friends, what has changed and what should executives do now?
HOW HAS THREAT INTELLIGENCE CHANGED IN THE PAST SIX MONTHS?
Santosh Kamane, Vice President Information Security, DBS Bank
“Phishing, malware, ransomware attacks are on the rise because adversaries know that users are isolated from their workplaces. Organizations who worked in a security environment where they were not prepared to work remotely have had a particularly hard time. They did not have do’s and don’ts on how to handle phishing emails, malware, and ransomware, what to click, what not to click, when to report incident, etc.- those base practices in place.”
Santosh notes that security awareness was low on our way into the pandemic. That means that all of the security awareness focus for the past two years simply got the community to a less than optimal outcome. Security awareness campaigns continue- but it’s possible the strategy of communication needs to be examined.
What might be most interesting about Kamane’s response is that he’s not discussing feeds- he’s talking about basic human threat intelligence. What good do the best feeds do you if Dave from accounting just opened the wrong email?
Kayne McGladrey, Senior Member, IEEE
“We were in the hype cycle with threat intelligence, and as a direct consequence, organizations are evaluating their threat intelligence providers and asking, is this actionable? Is this relevant? You can have two separate threat intelligence feeds covering the exact same industry, and you’re getting entirely different signaling information out of them. So I think that there’s a hesitancy to invest more in threat intelligence rather than to pick the feeds and providers that are providing the most actionable information.”
Kayne is talking about feeds. But all feeds are not created equal and a great way to know if your given feeds are of any value to you is if you’ve taken action on anything anytime recently. Another way to know if you’re feeds are of any value is to quantify.
“Have a KPI about value that came out of your threat intelligence feed. Did it actually cause you to do something differently? Were your analysts able to act on this, or was it just another thing that they had to go look at? Because when you think of time as being our chief enemy, if it’s sucking time and not producing value, why do you keep it? It’s a data feed, ultimately. At the end of the day, you have to contextualize it in terms of your organization. Threat actors tend to vary in terms of behavior in their TTPs. And consequently, you need to really tailor your threat intelligence. And if you’re not getting that tailored information, drop it.”
One might argue that tailored information for your organization is more valuable than general information. Kayne is arguing that general information is not valuable. But he stops short of offering that company-specific feeds are the only feeds that matter.
“Is there an ISAC, an information security association, that’s sharing similar information that you could just get by being a member? That could also be a better public/private partnership to address these issues, in addition to a commercial entity that’s allegedly providing intelligence, whereas, in fact, they’re just providing data.”
Make some friends. Share some information. Which brings us to our second question.
THREAT INTELLIGENCE: WHAT SHOULD CISOs DO NOW?
Kayne McGladrey, Senior Member, IEEE
“Definitely, make a contact with your local veterans employment representative, your LVER. You can find those through America’s job network, and just find out. Like the other thing, ultimately, your HR departments will be pleased with because LVERs are not a paid service. You can basically hire people- with no hiring or headhunter fee or associated cost structure- who are going to be motivated and talented. They might need to learn your tool chain, but the actual intelligence skills to disambiguate and make sense of a threat intelligence feed or feeds, as well as what you’re seeing off your SIEM telemetry- that’s invaluable. You cannot put a price on that.”
Many folks are talking about investing more into threat intelligence. And many of those folks are talking about investing in automated analysis of threat intelligence feeds. An alternative to automating your (potentially unproven) feeds is hiring a veteran who all-in will likely be cheaper while having intelligence chops that are proven.
Santosh Kamane, Vice President Information Security, DBS Bank
“The key is zero trust architecture. It talks about addressing your internal and external traits at the same time. We always considered our employees, as non-mobile, internal resources that would always be in-office, now everybody’s on the move. That makes the threat level for external and internal players pretty much same. And in some cases with the internal employees it’s higher, because they hold so much knowledge, they already have keys to enter into your network.”
Again Santosh discusses heading off threats at the pass. It seems he in fact is on the pulse of where the industry’s issues lie. How can we justify unproven investment on “detect” threat landscape initiatives if “protect” threat landscape initiatives are vulnerable?
“The focus would be on how you build, purely a good a zero trust architecture to gain better visibility into everything that goes into your network- a centralized view- to have centralized security administration. Everything that goes in and out of the network that needs to be built, scrutinized, everything needs to be logged. Everything needs to be assessed on why that particularly activity was allowed or denied.”
As a coda to his contribution, Kamane urges folks to focus on the solution as opposed to the problem. So one might suggest that even if you’ve got the VPN in place because you just invested in that architecture. Rather than invest further in threat intelligence feeds or automation, use that money on a ZTNA (Zero Trust Network Architecture). Or, close the doors before you worry about the windows.
Jeff Campbell, CISO, Horizon Power
“Adopt that model of sharing. It’s all about knowledge sharing. It doesn’t really matter which threat Intel feed to which you subscribe. Don’t be overwhelmed by the number of available services- choose a framework, choose a model that you feel comfortable with, or that is purpose fit for your organization- and then start to structure your intelligence feeds or threat Intel around what you’re trying to achieve. If you’re trying to mature your cybersecurity practice, then look at threat feeds that will actually give you practical ways of remediating.”
Jeff makes like Steven Covey and suggests that you begin with the end in mind. What outcome are you trying to achieve? Answer that question. Then- just as Kayne suggested- customize your feeds as well as you can to your particular organization. And- just as Kayne suggested- ensure that you are getting information which is actionable.
Dennis Leber, CISO, University of Tennessee
“Review your program and look at how you’re operationalizing that program. Look at what you’re doing with the data. You know how to improve. Look for opportunities to improve on what you’re doing already, and then share it, share your best practices with your peers and other companies.”
No matter what you do- once you have your threat intelligence working for you. A great final point by Dennis- share with your peers. The cyber security community is stronger and safer when collaboration occurs.
Huobi expands fiat gateway to support AUD, GBP and EUR through Banxa
Huobi Global, the world’s leading digital asset exchange, today announced support for the Australian dollar (AUD), British pound sterling (GPB), and Euro (EUR) through Banxa, an internationally compliant fiat-to-crypto gateway solution. The partnership allows users in Australia, UK, and the European Union to purchase cryptocurrencies with their official fiat currencies.
By integrating with Banxa’s payment solutions, Huobi is able to provide users with more flexibility and choice in payment methods, while also enabling a seamless user experience. Users can access the new fiat-to-crypto gateway directly from the Huobi OTC site and deposit AUD, GBP, or EUR to begin trading cryptocurrencies in just a few clicks. Funds can be instantly added to a user’s account using bank transfers, debit/credit card, and other preferred payment methods with zero fees.
“Our partnership with Banxa allows us to support three of the world’s most widely-used fiat currencies, marking a significant milestone in our global expansion,” said Ciara Sun, Vice President, Global Markets at Huobi Group. “With our newly expanded fiat gateway, we want to help accelerate crypto adoption by making digital assets much more easily accessible to the masses. This integration introduces a new point of access for users in Australia, UK, and the European Union looking to enter the crypto market.”
Domenic Carcosa, founder and Non-Executive Chairman of Banxa said. “Huobi is a first mover heavyweight, with some of the most innovative products and services in the industry. As digital assets become mainstream and move toward mass adoption, regulation and transparency are key to building trust. That is why we’ve chosen to partner with Huobi.”
From the ‘Buy Crypto’ page on Huobi OTC, users can select the digital asset they’d like to purchase, choose their fiat currency, and enter the fiat value or asset quantity for purchase. After selecting their preferred payment method, which includes Visa and Mastercard transactions, users can purchase up to $20,000 USD worth of digital assets in a single transaction. The daily purchase limit is $15,000 and the monthly purchase limit is $60,000.
Users are also required to submit a one-time identity verification as part of the transaction process. Once completed and the payment approved, users can access their assets in their exchange account within a few minutes. From there, users can immediately select a trading pair and start crypto-to-crypto trading.
Sun added, “As we bolster our global presence and expand into new markets, we will continue adding new fiat on-ramps to give all users a frictionless onboarding experience. We recently set out on an ambitious new goal to empower 100 million households worldwide to own digital assets, so we want to ensure we make it faster, easier, and more secure for new users to get started.”
Australian Cyber Week 2020 showcases vibrant, growing sector
Today, the Federal Minister for Industry, Science and Technology, The Hon Karen Andrews MP, launched the fourth annual Australian Cyber Week, a week-long series of events and activities nationally coordinated by AustCyber – the Australian Cyber Security Growth Network.
The official launch event, featuring Minister Andrews, Innes Willox of the Australian Industry Group, Chris Painter of the Global Forum on Cybersecurity Expertise, industry heavyweight David Thodey and AustCyber’s CEO Michelle Price, will highlight the shift to digital through the COVID-19 pandemic and how it is accelerating the economy – a theme that will be explored further throughout the week through almost 30 events spanning the full breadth of the cyber security landscape for those within the sector, but also well beyond.
Held from 26-30 October, Australian Cyber Week 2020 provides opportunities for Australian cyber security and related organisations to showcase their capabilities and network with peers, potential investors and customers. It also provides an excellent way for cyber curious individuals and organisations to better understand what cyber security can do and mean for them.
“Cyber Week 2020 is one of AustCyber’s key programs under our mission to grow a globally competitive cyber security sector,” said Michelle Price, CEO of AustCyber. “The events during Australia’s Cyber Week connect Australian cyber capabilities with key domestic and international stakeholders who are contributing to the growth and success of the sector and creates further opportunities to enhance future economic growth.”
Australian Cyber Week has traditionally featured in-person events and activities at various locations across Australia. In 2020, AustCyber is debuting a new virtual conference platform which features 100% Australian technology. The 3D ‘circuit board city’ is the gateway to daily live events, a networking hub and exhibition hall showcasing booths which feature sovereign products and services. Online events will be complemented by in-person events in South Australia and Western Australia, facilitated through AustCyber’s National Network of Cyber Security Innovation Nodes.
“Each day, Australian Cyber Week has a feature event to demonstrate our globally completive cyber security ecosystem,” said Ms. Price. “The range of speakers is broad – ranging from CEOs of large corporates and venture capital investors, to ethical hackers, school students with a keen interest in cyber, and those with disabilities working within the sector.”
Later today, AustCyber in partnership with Cynch Security, Deakin University and RMIT University, will explore small business attitudes towards cyber security. While small businesses have had to fight for survival during the COVID-19 crisis, the unprecedented period of digital adoption has left many exposed to threats they are unprepared for. As Australia looks towards the future again, there has never been a more important time than now to understand the challenges this sector faces. This event will provide paths forward for building cyber fitness in the most vulnerable businesses.
AustCyber has partnered with CISO Lens and cyber security accelerator CyRise to host Sky’s the Limit on Tuesday 27 October. This event will feature ten Australian cyber security companies delivering short pitches to executives from ASX listed companies from key Australian sectors including advanced manufacturing, health, consumer services, mining and financial services.
To underline the importance of digital trust in keeping our digital activity secure and resilient, during an event on 28 October, AustCyber will simulate a significant cyber-attack on Australia through a hypothetical situation. Experts from the Australian Energy Market, Siemens Digital Industries Australia, TOLL Group and cohealth come together to examine the impact on critical infrastructure, crucial parts of our society and how it would impact almost all of us.
The National Missing Persons Hackathon 2020, held on 29 October, is one of the most innovative events to be held in Australia this year and is being held in partnership with the Australian Federal Police, National Missing Persons Coordination Centre and Trace Labs.
This event will see the gathering of ethical hackers and investigators using online investigative techniques within the bounds of the law to find new leads on 12 real missing persons cases in Australia. Contestants will be using their cyber skills to gather open source intelligence (OSINT) on long-term and current missing persons using only information that is publicly available on the internet. The goal of this is to generate new leads on cases that can aid the relevant Australian policing jurisdictions in their investigations.
“We are excited to be returning for 2020 and going virtual for the first time,” said Linda Cavanagh, National Network Lead at AustCyber and Founder of the National Missing Persons Hackathon. “Theoretical concepts are put aside so participants can operate in real time, with real data, for real human impact. Imagine the possibility of a missing person case being solved by the community using crowdsourced cyber skills! Helping close a case would be a great result and show the value and power of OSINT.”
Seven Tools for Effective CDO Leadership
Key Considerations for Executing a Successful M&A Data Migration or Carve-Out
Jorjin Technologies announcing J7EF, the latest of its J-Reality
Parallel ways of Data Scientist and Machine Learning
The New Role of Agricultural Machinery to Work the Land
LONGi fornece 101 MW em módulos bifaciais para uma usina de larga escala no Chile.
LONGi suministra 101 MW en módulos bifaciales para una planta de energía ultra grande en Chile
Unabhängige Test bestätigen, dass der neue flüssigkeitsgekühlte Brennstoffzellenstapel von HYZON Motors bei der Leistungsdichte weltweit führend ist
WHO experts acclaim Arawana as an oil of the 5G era, and they recommend the consumption of trans-fat-free cooking oils
FIBRA Prologis Anuncia a Carlos Elizondo Mayer Serra como nuevo Miembro Independiente del Comité Técnico
Post Office to close 600 ATMs
Westpac rolls out customer complaint resolution system
FIBRA Prologis Appoints Carlos Elizondo Mayer-Serra as a New Independent Member of the Technical Committee
XTQZZZ on Vitality’s six-man roster: “We’re going to make substitutions mid-series depending on the map”
OG move past Evil Geniuses in BLAST Premier Fall Series
Boneyard Bunker Codes in Warzone: How to Open Both
Sunoco LP Maintains Quarterly Distribution
CVG Announces Third Quarter 2020 Conference Call
EA Modifies The Sims 4 Expansion pack and Trailer Out of Consideration for Korean Players
Warzone Punisher Pumpkin Bug: What’s the Issue?
FIFA 21 Global Series: Full List of FGS Swaps 1 Events
DAS Slides: Data Architect vs. Data Engineer vs. Data Modeler
DAS Webinar: Data Architect vs. Data Engineer vs. Data Modeler
Taseko Reports $32 Million of Adjusted EBITDA in the Third Quarter 2020
Avient Releases Sustainability Report, Announces Sustainability Goals for 2030
Spencer: Xbox is Not Currently Planning Which Zenimax IP Will Be Exclusives
Horizon Revealed: New Hero and Map coming to Apex Legends Season 7
New England Whalers replace FURIA in IEM Beijing-Haidian
Ant Group sets IPO pricing
NAVI defeat NiP in BLAST Premier Fall Series opener
What the VR is Going on at Facebook? Accounts, Store Content and the Splits
Record Number of Dark Markets Online as Demand for Illicit Goods and Services Continues to Grow
Jay-Z announces new line of cannabis products dubbed Monogram
The Rockefeller Foundation commits USD1 billion to catalyze a green recovery from pandemic
PJM Named a Top Adoption-Friendly Company in the United States for 14th Consecutive Year
Top 10 Blockchain-as-a-Service (BaaS) Providers
Defining Value in Supplier Selection: An NSK Perspective
LBE VR: Past, Present and Post Civid Future
Do I need to Buy One Whole Bitcoin? 3 BTC Questions I’m Tired of Answering
Techcrunch1 week ago
Original Content podcast: It’s hard to resist the silliness of ‘Emily in Paris’
Blockchain6 days ago
Bitcoinnami Officially Launches on October 21, 2020
Startups1 week ago
Solve the ‘dead equity’ problem with a longer founder vesting schedule
Startups1 week ago
Three views on the future of media startups
Startups1 week ago
VCs reload ahead of the election as unicorns power ahead
Esports1 week ago
Legendary Pokémon encountered in Sword and Shield’s Dynamax Adventures have 100-percent catch rate
Techcrunch1 week ago
This Week in Apps: Apple’s big event, lidar comes to iPhone, Android gets a new IDE
Esports7 days ago
Who is Dr. Karlov in Warzone?