Steam gamers targeted by cleartext-grabbing trojan

Steam gamers are targeted by a trojan that steals their login credentials and defeats the service's password encryption mechanism by using HTML injection.

Attackers stripping users' login data with a variant of the trojan Ramnit since mid-July according to Trusteer fraud prevention solutions manager Etay Maor.

Steam has some 54 million members and was victim of a massive breach in November 2011 when hackers accessed the personal data of up to 35 million customers contained in a database.

This time individual users were targeted.

Once users are infected by Ramnit, attackers wait for victims to login to their Steam account, at which point miscreants use HMTL injection to capture normally encrypted passwords in cleartext.

To ensure that Steam's operators are none the wiser to the attacks, the malware also removes the injected code before the information is sent to Steam's website.

Maor described the man-in-the-browser style attack on Trusteer's blog.

“To avoid detection, Ramnit simply makes sure the server never sees the injection,” he wrote. “To do so, prior to the [username and password] form being sent to the website, Ramnit removes the injected element. This can be observed in the first part of the code.”

Maor said some researchers have begun to move away from strictly categorising malware like Ramnit as “banking trojans” because variants are increasingly being repurposed to go after users at other sites.

“They are targeting everything– gaming services, dating sites– if there's a username and password associated with it, they are going to target it at some point,” Maor said.

Services such as Steam are particularly attractive for crooks, Maor added. Gaming software is usually more vulnerable to attack, considering users tend to disengage their firewalls, security solutions or any other programs that could slow down their systems while they are gaming, he explained.

“If you get access to a Steam account, you can [carry out] identity theft of the gamer, like buy games and send them as personal gifts to other people," Maor said. "It's pretty similar to getting bank account access – their [profile] is now open and you can change their email or other account information. The last option, of course, is to just sell the credentials on an underground forum."

It's unclear how many people have fallen victim to the latest wave of attacks.

SC reached out to Valve, Steam's developer and owner, but did not immediately hear back from the company. Per policy, Maor said Trusteer reached out to the Valve prior to disclosing information about the attacks.

This article originally appeared at scmagazineus.com