![]() Most of the common checks that a user does before entering the login credentials to any website may not work in this campaign, such as checking the domain, use of HTTPS, etc. Phishing campaigns are getting more sophisticated day by day, and attackers are using new and lesser-known techniques in these campaigns. If it is open, the script activates a function, debug322(), which executes a “ debugger” statement to stop the execution of the code.įigure 8: The deobfuscated code to detect the browser consoleįigure 9: The execution of the “debugger” statement as the console is openedĪs of now, ThreatLabZ has detected more than 200 domains as part of this campaign, and there are multiple other templates used in this campaign with similar functionalities, as discussed above.įigure 11: Some of the different templates used in this campaign Below is the obfuscated JavaScript used to detect if the console is open.įigure 7: The obfuscated JavaScript to detect a browser consoleĪfter two levels of deobfuscation, we can see the script that detects whether the browser console is open. In this way, it prevents users from looking into the code directly. This phishing campaign also uses some anti-analysis techniques by detecting if the console is open in the browser. If a user falls for this phishing and enters the login credentials, the credentials are sent to the attacker and the user is redirected to the legitimate site (hxxps://bitskinscom). When the victim clicks on the “Sign in through STEAM” button, the above discussed fake browser pop-up gets loaded from the below URL.įigure 6: The fake Steam login page, which is used as a pop-up on the main page Attackers have designed it precisely to make it look legitimate for example, the color of the domain is slightly darker than the URI portion, and the color of the HTTPS part changes on mouseover. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.įigure 4: The fake browser pop-up window disappears beyond the edgeįigure 5: The fake browser pop-up window created using HTMLįrom the above screenshot, you can see that the browser header, address bar, and buttons to resize the window all are designed in HTML. In this case, everything looks fine as the domain is steamcommunitycom, which is legitimate and is using HTTPS. Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others. As the user clicks on the “Sign in through STEAM” button, a Steam login window pops up. To perform a custom search or add items to a cart, users are asked to sign in with their Steam credentials. The following screens show the phishing CS:GO site (top) and the actual CS:GO site (bottom). To make the phishing sites appear more legitimate, there is a fake chatbox with randomly selected phrases based on current events. ![]() The phishing site looks much like the real one. Cybercriminals will attempt to hijack a Steam account so they can launch other scams and attacks and steal or trade the victim's items. The all-time peak number of concurrent users for CS:GO was 854,801.ĭue to its popularity, the Steam platform has also become a popular target for attack. ![]() At the time of this publication, the Steam site was showing more than 700,000 users currently playing CS:GO. How popular? According to statistics on the company website, the Steam platform has between 10 and 20 million concurrent users playing on any given day. Steam is highly popular among gamers as it allows for multiplayer capabilities. Steam offers digital rights management (DRM), matchmaking servers, video streaming, and social networking services, and it provides users with installation and automatic updates of games as well as several community features. Steam has also expanded into an online web-based and mobile digital storefront. ![]() Steam is a video game digital distribution service that provides automatic updates for various games. A similar campaign was seen in December 2019 and the campaign is still up with few enhancements, such as using a fake browser pop-up window for login along with some anti-analysis techniques, which are discussed in this blog. These sites use an uncommon phishing technique that is difficult to detect. ![]() Recently, the Zscaler ThreatLabZ team came across multiple fake Counter-Strike: Global Offensive (CS:GO) skin websites aimed at stealing Steam credentials. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |