Another hot new game means another predictable malware scam. The hot new game is Valorant, an upcoming multiplayer shooter from League of Legends developer Riot Games.
Valorant is due out this summer, but a closed "beta" version that you can play now was released earlier this month, creating a scramble to get official keys to unlock the beta version.
This malware scam promises beta keys to prospective players, but installs a keylogger instead. The scam is easy to avoid, and easy to address — but it’s also easy to fall for, particularly if you’re caught up in the Valorant hype.
- Play the best free PC games
- 11 best games to play when you're stuck at home
- Plus: PS5 will be hard to find at launch — and expensive
This information comes from Albert Zsigovits, a threat researcher for U.K.-based security firm Sophos. It’s not crystal clear where Zsigovits encountered the fake key generator, but the end-results are easy enough to understand.
Fake #RiotGames #Valorant game-key generators being distributed.It’s actually a stealer, stub grabs a 2nd stage keylogger from pastebin. @malwrhunterteam @JayTHL @PlayVALORANT pic.twitter.com/nXKzRc8W7OApril 15, 2020
If you try to use the fake Valorant keygen, it will download a keylogger from Pastebin directly to your computer, then channel anything you type — including your usernames and passwords — back to a cybercriminal somewhere.
How to avoid getting pwned by the Valorant scam
Avoiding the scam is trivial, since all you have to do is not attempt to generate illicit beta keys for Valorant. While demand for these keys has been through the roof ever since the the beta of the game went live, Riot has made it easier than ever to acquire a legitimate code.
All you need to do is watch a Valorant streamer on Twitch and wait for a code to drop. You’re not guaranteed to get a code, but remember: a beta isn’t really for the players’ benefit. It’s a way for Riot to test server stress and netcode.
It may sting to get left out, but for a highly anticipated game, there are always going to be fewer open spots than willing participants.
What to do if you fell for the Valorant scam
If you fell for the keygen trick, though, all hope is not lost. Keyloggers are usually not sophisticated pieces of malware, and running a virus scan with one of the best antivirus programs should eradicate it from your system.
Be sure to change your passwords, though — especially if you share passwords among multiple accounts. A cybercriminal with a username and password for one website can often use them to log into a number of different sites. One of the best password managers can help you.
Unfortunately, getting rid of the keylogger will have to be done after the fact. According to VirusTotal, only Kaspersky software seems to recognize the keylogger download page on Pastebin as malicious at present.
Still, there is hope, as Zsigovits reported the malicious software to Pastebin, which does not allow keyloggers on its website. Some do occasionally fall through the cracks, though, it seems.
It’s not clear how many people downloaded the fake key generator, or whether they sent any information to a cybercriminal before an antivirus program caught the keylogger.
Since Valorant is an extremely popular game, it seems safe to say that the number is higher than zero, but anything more would be pure speculation. Hopefully, Pastebin will take down the keylogger before other users get a chance to unwittingly download it.
If you’re absolutely dying to play Valorant, sign up for the beta at Riot’s official website, then watch Twitch streamers and hope for an official code. It’s not a perfect method, but even if it fails, the game will be out in full this summer. You won’t have to wait that long.