A Steam scam is underway that begins with a user receiving a Steam message from a friend telling them about a site that they can use to get a free game.
Little does the recipient know that the person's account that is sending the message has been hacked and sucked into a elaborate scam campaign targeting Steam users.
When a user clicks the link they will be redirected through a gateway that then takes them to another working "free game" site. This site says a user can click the "Roll" link to get a random free game.
When a game is selected, the site will prompt them to login to steam to claim the game.
Clicking the login button will generate a fake Steam SSO login page. While it looks identical to Steam's normal SSO login pages, this is a fake page hosted on the game site.
If you enter your credentials, the server will try to log you in behind the scenes. If 2FA is enabled or Steam Guard pops up, which it will as Steam will see it as a login from a new computer, the site will prompt you to enter the code you receive.
This looks like a normal SSO sign in process, but cone the Steam Guard code is entered, the server will once again, behind-the-scenes, login to the account, change the email address, password, and phone number.
They have now stolen the victim's account.
This takeover is being done from an IP address in Russia.🙀🙀🙀
Now that the account has been stolen, it has been added as another bot in this scam's campaign and will be used to further spread the site through Steam messages.
Rinse and repeat.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
@serghei While CrowdStrike suspects a North Korean state-backed hacking group it tracks as Labyrinth Collima is behind this attack, Sophos researchers said they "cannot verify this attribution with high confidence."
@serghei One of the trojanized 3CX PBX client samples pushed to 3CX customer's Windows desktops was digitally signed over three weeks ago, on March 3, 2023, with a legitimate 3CX Ltd certificate issued by DigiCert.
A new version of ESXiArgs ransomware attacks was seen today, with changes to the encryption process that are preventing existing VMware ESXi recovery methods from working.
Previously the ransomware would encrypt large files in alternating between 1 MB of encrypted data and a gap of unencrypted data in Megabytes.
This gap, called the size_step, was computed using this formula:
The Play ransomware operation is using a new PoC exploit for a relatively new exploit chain patched in November.
This new exploit chain appears to be using the CVE-2022-41082 (also used by ProxyNotShell) and CVE-2022-41080 vulnerabilities. msrc.microsoft.com/update-guide/e…
Researchers from @CrowdStrike discovered the exploit chain was used to breach Microsoft Exchange servers through Outlook Web Access (OWA) when investigating recent Play Ransomware attacks.
These attacks were bypassing existing mitigations put in place for ProxyNotShell.
Last week, the threat actors sent BleepingComputer a directory listing of allegedly stolen files.
This listing consists of mostly NDAs, business agreements, data dumps, and schematics.
A redacted NDA was also shared as a "hint," or proof-of-breach, of who they attacked.
Today, the Yanluowang ransomware gang posted the same directory listing of approximately 2.75 GB of data, consisting of 3,700 files, that they claim were stolen from Cisco.