Incident Response, Malware, TDR

Attackers zero in on Steam gamers with help of Ramnit trojan

Users of the popular video game distribution service Steam are being targeted by a trojan that steals their login credentials and defeats the service's password encryption mechanism by using HTML injection.

According to security firm Trusteer, which specializes in fraud prevention services, attackers have been on a campaign to obtain Steam users' login data since mid-July.

Etay Maor, fraud prevention solutions manager at Trusteer, detailed the attackers' exploits in a Monday blog post, revealing that a variant of the trojan Ramnit was being used to compromise gamers.

A major software service that provides users access to more than 2,000 games, Steam has around 54 million members and is owned by Bellevue, Wash.-based software company Valve.  

Steam was the victim of a massive breach back in November 2011, in which hackers accessed the personal data of up to 35 million users contained in a database.

This time, however, the vandals targeted individual users, Etay said.

Once users are infected by Ramnit, attackers wait for victims to login to their Steam account, at which point miscreants use HMTL injection to capture passwords, which are normally encrypted by the site, in plain text. To ensure that Steam's operators are none the wiser to the attacks, the malware also removes the injected code before the information is sent to Steam's website.

Maor described the man-in-the-browser (MitB) style attack on Trusteer's blog.

“To avoid detection, Ramnit simply makes sure the server never sees the injection,” he wrote. “To do so, prior to the [username and password] form being sent to the website, Ramnit removes the injected element. This can be observed in the first part of the code.”

In a Wednesday interview, Maor told SCMagazine.com that some researchers have begun to move away from strictly categorizing malware like Ramnit as “banking trojans” because variants are increasingly being repurposed to go after users at other sites.

“They are targeting everything– gaming services, dating sites– if there's a username and password associated with it, they are going to target it at some point,” Maor said.

Services such as Steam are particularly attractive for crooks, Maor added. Gaming software is usually more vulnerable to attack, considering users tend to disengage their firewalls, security solutions or any other programs that could slow down their systems while they are gaming, he explained.

“If you get access to a Steam account, you can [carry out] identity theft of the gamer, like buy games and send them as personal gifts to other people," Maor said. "It's pretty similar to getting bank account access – their [profile] is now open and you can change their email or other account information. The last option, of course, is to just sell the credentials on an underground forum."

It's unclear how many people have fallen victim to the latest wave of attacks.

SCMagazine.com reached out to Valve, Steam's developer and owner, but did not immediately hear back from the company. Per policy, Maor said Trusteer reached out to the Valve prior to disclosing information about the attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.