WARNING -- Phishing/Hacking Attempts

[Yamagata 1st MRB]

Hello All,

It looks like SSgt. Marchese's steam account has been compromised. If you receive a message "WTF Dude?" with a link to a "screen-pictures" site, DO NOT FOLLOW IT. You will download a virus, if not some sort of keylogger or malicious software. Steam community says it steals all your trade-able DLC and resends the virus to your friends list.

I can PM the URL if anyone feels like getting hacked and/or wants to debug it!

If you did download or follow the link, run a virus scan and change your steam password ASAP!

Being in IT has taught me to be wary of unknown links from others, and to NEVER download unknown files. When I saw the link, I immediately googled the site for legitimacy and the list of warnings and infection reports on the Steam Community threw up the red flag. Please be cautious and browse safely! If anyone has issues, please post a request for help and our MSO team will help you out!

Thanks,

Lt. Col. Yamagata

Edited December 29, 2014 by Candy 1st MRB

[Marchese 1st MRB]

Hello all. I knows it's been a while but I am quite aware of the situation and will confirm. Apparently someone from my friends list had this virus and like a dope I fell for it and I am sorry for any problems this might of caused. I have changed my password to my steam account and am running antivirus I would advise you do the same. I did run antivirus on the file before opening it and it revealed no malware so that why I launched the fake jpeg. Ya think I would know better being in IT but guess I had a brain fart.

Edited November 15, 2014 by Marchese 1st MRB

[Ultranator BAR]

If you get a message from someone on steam that says:

WTF Dude?

definitely do not click on that.

It would be a virus. It almost got me until the img asked me for permission to run it....

Edited November 15, 2014 by Cannon 1st MRB
Removed the link - Cannon

[Ultranator BAR]

So, if I didn't actually run the file, but just dl'd it am I ok?

[Griswold]

SSgt. Grant seems to have been affected by this as well. If ANYONE sends you this message DO NOT CLICK ON IT!!!!!

Also post who you get these messages from, that way we can contact them on the forum about there compromised account.

Edited November 15, 2014 by Griswold 1st MRB

[Candy 1st MRB]

I actually downloaded this but I did not run it. I am running virus scan at the moment and Ill change my steam password.

[Quarterman 1st MRB]

What if you clicked the link with your phone, but it didn't open the website because its not a real website or download anything.

[Griswold]

What if you clicked the link with your phone, but it didn't open the website because its not a real website or download anything.

I would say you would be good, probably built for a different operating system. But just make you pay attention to when/if you plug your phone into your computer next time. Make sure nothing fishy starts happening.

[Barry 1st MRB]

REMEMBER GUYS ALSO LET THE PERSON WHO IS UNDER THE VIRUS KNOW THAT THEY ARE EFFECTED

BECAUSE THEY MIGHT NOT KNOW THAT THEY ARE

AND WILL CONTINUE TO GO ABOUT THEIR BUSINESS

WITHOUT SCANNING FOR VIRUSES OR FIXING THEIR PASSWORDS

[A. Cannon 1st MRB]

Probably a good time to get a new anti virus

[Marchese 1st MRB]

Probably a good time to get a new anti virus

I have Avast and it has been pretty reliable up to now. Don't know why it did not detect any threats for the file.

[Candy 1st MRB]

The MSO staff would like to thank everyone who has helped out so far. If we can do anything to help please ask. I will keep this topic open indefinitely until we know the problem has passed.

[Yamagata 1st MRB]

Anti-viruses work off of databases of "known" malware, that's why you need to update your protection so often, there are set definitions of viruses. In addition, it's using steam and your browser as a means to infect your computer, these are already "green-lit" by all your anti-virus programs. If it's new, it's not going to flag it as a known threat, this is where you, the user, needs to be diligent and check the source. Before I even clicked the link, I googled screen-picture or whatever the site hosting this "wtf dude" image. That's where I hit the "unknown site certificate" and pre-existing steam community posts results.

Google is your friend!

[Yamagata 1st MRB]

Smart people have already debugged the virus! In case anyone was curious:

The method form the code is thus..

Hook into steam,

steal cookies,

get auth token,

get friends list,

send all items etc as per line + (753:gift;570:rare,legendary,immortal,mythical,arcana,normal,unusual,ancient,too

l,key;440:unusual,hat,tool,key;730:tool,knife,pistol,smg,shotgun,rifle,sniper rifle,machinegun,sticker,key) ,

send message to all friends = ("WTF Dude? http://♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥.com/DELETEDFORSAFTEY/")

Nothing thing else is mentioned in the code... Wanted to check to make sure it never got my password for steam..

Note* it uses the steamapi to send authenticated requests with the stolen cookies, for the trade transactions*

Well it steals the cookie which means the attacker can change the password on you in theory.

It's prudent to deauthorize your SteamGuard computers and change your password as a precaution.

[Woz 1st MRB]

Smart people have already debugged the virus! In case anyone was curious:

The method form the code is thus..

Hook into steam,

steal cookies,

get auth token,

get friends list,

send all items etc as per line + (753:gift;570:rare,legendary,immortal,mythical,arcana,normal,unusual,ancient,too

l,key;440:unusual,hat,tool,key;730:tool,knife,pistol,smg,shotgun,rifle,sniper rifle,machinegun,sticker,key) ,

send message to all friends = ("WTF Dude? http://♥♥♥♥♥♥♥♥♥♥♥♥♥♥♥.com/DELETEDFORSAFTEY/")

Nothing thing else is mentioned in the code... Wanted to check to make sure it never got my password for steam..

Note* it uses the steamapi to send authenticated requests with the stolen cookies, for the trade transactions*

Well it steals the cookie which means the attacker can change the password on you in theory.

It's prudent to deauthorize your SteamGuard computers and change your password as a precaution.

I was going to ask if someone could pm me the file url (or dropbox the file to me if the site has already been taken down) so that I could run it through IDA, but it looks like someone on the steam forums has already decompiled and analyzed it. I would still be interested in looking at it anyways, so if someone could hook me up with the file, that would be awesome.

[Candy 1st MRB]

Are there any recent cases of this problem? Post if you have recently seen anything on this topic. I will give it a few days then close the topic.

[Sanborne 1st MRB]

Today i recieved a PM from a friend of mine, While i neglected to take a screenshot it read as "Hey, I want to trade with you! Check My trade inventory @ *Link Removed*" then he logged out" I wont post the link, But research done on it says its not a trusted site and is most likely a scam / Phisher link.

[Griswold]

Tifrobond has seemed to have come down with this virus, if anyone has him on there friends list check your recent messages with him. If you opened any link from him, SCAN YOUR COMPUTER NOW!!!!

[T. Brown 1st MRB]

Yea couple people on my friends list got it again today. Make sure you tell them that they need to change their pw and let people know what happened!

[Marsden 1st MRB]

Why do people suck so bad?

[Griswold]

Why do people suck so bad?

Real question should be why did it take so long for someone to look for a way to do this to someone? Steam for a long time had been a really good platform, why steal someones digital shit?

Steam is just like any other digital platform, why did it take so long for viruses that specifically target Steam to come out?

[J. Hill]

probably took that long for a hacker to get pissed off at someone in DoD to make the virus for revenge.

[Arsenault 1st MRB]

Why do people suck so bad?

Real question should be why did it take so long for someone to look for a way to do this to someone? Steam for a long time had been a really good platform, why steal someones digital shit?

Steam is just like any other digital platform, why did it take so long for viruses that specifically target Steam to come out?

Hats.

[Candy 1st MRB]

This issue seems to have died sown for now. I am going to pin this topic in case further outbreaks occur.

Edited December 29, 2014 by Candy 1st MRB