Phishing and spear-phishing attacks are always popular among active social engineers in the dark corners of the Internet, but a new breed of malware, known as a "Steam Stealer" is the prime suspect in the pilfering of numerous user accounts from Valve’s flagship platform. According to security researchers at Kaspersky Lab, Steam Stealer is evolving bit-by-bit from a leaked source on a remote Russian forum. Stealers took off once they were proven to be extremely profitable by criminals all around the globe.

"Available for sale in different versions, with distinct features, free upgrades, user manuals, custom advice for their distribution, and more, stealers have turned the threat landscape for the entertainment ecosystem into a devil’s playground," according to Kaspersky Lab researcher Santiago Pontiroli.

The growth of the specific malware targeting gamers should be attributed to the simplicity behind its operation and the ubiquity of its offering. The focus on selling stealers to anyone with money to spend means that a staggering number of script-kiddies and technically-challenged individuals resort to this type of threat as their malware of choice to enter the cybercrime scene.

Everything is offered in asimple package, ready to use and with plenty of documentation for its use. Different functionality is offered as part of each Steam Stealer package, starting from $15 USD, Pontirol said.

The average developer just needs to select their favorite programming language and know just enough about Steam’s client design and protocol. There are many APIs and libraries available that interface with the Steam platform, significantly reducing the effort required.

"It’s not uncommon for the bad guys to repurpose legitimate tools and open source libraries for their nefarious campaigns, although in this case the possibilities are just too tempting to pass on to others," Pontiroli commented.

Steam Stealers have evolved from "simple" malware to flooding all corners of the Internet. In the past, there was no obfuscation whatsoever, and sometimes FTP or SMTP credentials were sent over in plain text. Gradually, improvements were introduced to the stealers as well as to the social-engineering aspect: screenshots got better, duplicate sites improved, delivery methods were more diverse and bots got better in mimicking human behavior.

Currently, stealers use fake Chrome extensions or JavaScript, scamming via gambling websites or fake gambling sites, including fake deposit bots. They are also using AutoIT wrappers to make analysis and detection harder or even RATs (Remote Access Trojans) such as NanoCore or DarkComet.

A starting price of 200 rubles ($3 USD) would get you usage rights for a credential stealer for the Steam platform. Paying 450 rubles ($7 USD), would add source code and a user manual.

Malware-as-a-service is not a revolutionary practice. However, when it comes to these types of malicious campaigns, prices are usually starting in the range of $500 dollars.

According to Steam’s own statistics, almost 77 thousand unsuspecting users have been targetted by malware every month.

Currently there are nearly 1200 samples of different Steam Stealers recorded across the globe. Leading regions for attacks are Russia, the US, Europe (France and Germany), India and Brazil. Kaspersky says it detects Steam Stealer trojan groups including Trojan.Downloader.Msil.Steamilik; Trojan.Msil.Steamilik; Trojan-psw.Msil.Steam and others.

Valve has acknowledged the problem, but even if there has been a progressive improvement in the number of protective measures implemented, Steam Stealers are still rampant and many users will at some point find themselves wondering what went wrong. Among the new security measures there are several that have been adopted network-wide and others which you can configure for your account to prevent this type of incident and enjoy a secure gaming session:

• Two-factor authentication either by email or mobile application.
• Blocking URL’s throughout Steam.
• Nickname censorship (Steam/Valve).
• Captcha on trades (briefly), and then bypassed.
• Limited accounts introduced.
• Steam e-mail confirmations for utilizing the market and trading items.
• Verifying e-mail address.
• $5 USD purchase to combat 'free abuse' accounts (expanded on limited accounts).
• Information about who you are trading with (record).
• Market will become blocked when logging in from new devices, changing your profile password etc.
• Steam mobile trade confirmations.
• Steam account recovery via phone number.
• Restrict chat from users who do not share a friends, game server, or multi-user chat relationship with you.
• More restrictive block referral of spam and scam sites.
• Trade hold duration (15 days).