PC and console gamers alike appear to be the target in an ongoing hacking spree spanning websites owned by Konami, Ubisoft, Crytek and a number of others. These are direct hacks into the website databases to acquire player information like passwords, email addresses and even credit card information. This latest attack on Steam gamers takes a different approach.
Security firm Trusteer, which was just acquired by IBM last week, said it has discovered a new configuration of the Windows-based Ramnit Man-in-the-Browser (MiTB) malware that uses HTML injection to target the Steam Community website. This is the same worm that stole more than 45,000 Facebook login credentials back in January 2012.
MORE: Malware XPocalypse Looms for Windows XP Users
"Win32/Ramnit is a family of malware that steals your sensitive information, such as your bank user names and passwords," stated Microsoft's Malware Protection Center back in 2010 (opens in new tab). "They can also give a hacker access and control of your computer and stop your security software from running. The malware arrives on your computer via an infected removable drive."
This is why the Steam attack resides outside the current game site hacking spree: it infects individual users rather than break into an entire database. Trusteer reports that once the user is infected and tries to log into Steam through a web browser, Ramnit injects a password request element, pwd2, which allows it to capture the sensitive data in plain text. Typically this username/password info is encrypted using the site's public key.
"While this simple technique is good for overcoming the client side encryption, it also raises an issue – Steam’s server is not expecting to receive this new element (pwd2) when the form is submitted," writes Etay Maor.
Maor points out that many server-side security solutions detect MitB malware by looking for forms with injected elements. As an example, when the user fills out an online login form and the data is sent to the website, the security solution scans for unknown elements that could indicate HTML injection malware. Thus if the login information is received and includes an additional credit card number that wasn't part of the login request, then the site will know that this specific user is infected and will lock the individual out.
But Maor reports that Ramnit avoids server-side detection by removing the injected element before the form is sent back to the website. Maor explains that by using form grabbing, the cybercriminal can easily index the collected data. Ramnit also has a key-logging ability, but this results in a batch of characters that doesn't distinguish between username, password and keystroke junk.
Given this Steam-focused attack is based on infections only, customers may want to keep their client-side solutions up-to-date. As always, don't open emails from strangers or take their candy: you never know what's inside. Even more, don't store credit card information on Steam: simply enter the number each time you make a purchase. That way, hackers aren't making $10K purchases and gifting the codes if they do happen to break into Steam.
local virtual keyboards might be vulnerable to screen-shot based attacks, or even key loggers if they're using STDIN as well.
"But Maor reports that Ramnit avoids server-side detection by removing the injected element before the form is sent back to the website."
from the article.