Steam, the hugely popular online video-game storefront, is being slammed by malware crafted to attack its users, according to a report published yesterday (March 15) by Kaspersky Lab researchers. The report says it costs only $3 to buy the most basic version of Steam Stealer, commercialized malware that can pilfer funds, in-game purchases and account information from any Steam user.
Steam boasts 140 million users, but the service recently admitted that an average of 77,000 Steam accounts are robbed per month. The Kaspersky Steam report, written by researchers Santiago Pontiroli, an Argentine who works for Kaspersky Lab, and Bart P./Bart Blaze, a Fleming whose day job is with Panda Security, explains that while Steam may be popular worldwide, Steam Stealer malware has roots in the Russian cybercrime community.
Prices for Steam Stealer go up to $30, but even the $7 version includes a manual and the source code needed to tweak the malware further.
Many online criminals post Steam Stealer code on public code repositories such as Pastebin, making it hard to trace their identities.
Steam Stealer hits gamers in a variety of ways. Web pages containing the malware can be linked to from spam emails or forum threads, or stumbled upon when a user mistypes the URL of a legitimate Steam page. A recent scam placed a Steam Stealer inside a Chrome extension that offered modifications to the popular Counter-Strike: Global Offensive game.
Users can also be ripped off by scams right in Steam's Marketplace, where some users try to pawn off bogus goods they claim to be ultra-rare items worth exorbitant triple-digit prices.
The report says stolen Steam credentials go for an average price of $15 on the black market, but there's potentially a high return on the investment. If a user has a well-fed Steam Wallet, or a trove of rare items that can be sold in the Marketplace, then that $15 login name and password turn into a pay day.
Steam's owner and operator, game developer Valve, has tried to stop theft by adding two-factor authentication and restricting Steam chats to separate users who do not share friends. But the Kaspersky report does not have a positive outlook.
Pontiroli and Bart P. say that users, at the bare minimum, should enable two-factor authentication(see the link about the 77,000 hijacked accounts above) and make sure to use an up-to-date antivirus solution. Gamers may be excited about Valve's long-awaited Half Life 3 game seeing the light of day, but the Kaspersky report fears the game's release will attract an even more powerful generation of Steam Stealers.