Cybercriminals are reportedly attempting to trick users of the Steam video game digital distribution service into visiting a phishing site that pretends to give away new game skins, but actually steals login credentials.
Researcher "nullcookies" first reported the fraudulent giveaway promotion in a Twitter post late last month. BleepingComputer followed up on the post and determined that the actor or actors are attempting to lure in victims via comments made to Steam profiles. These comments falsely state that the recipient has won a weekly giveaway and can claim his or her prize on giveavvay.com, a malicious website.
The malicious site further perpetuates the scam by showing what appears to be a $30,000 giveaway promotion featuring 26 days worth of free skins for the multiplayer first-person shooter game "Counter-Strike: Global Offensive." Site visitors are instructed to click on sign-in button, which opens up a fake Steam login form where the victims can enter their information for the attackers to steal, Bleeping Computer reports.
The site reportedly even creates a legit "Steam Guard" security request (for logins from unrecognized devices) and prompts users to complete the process so the attackers also gain to the special access code. And to feign authenticity, the site also displays a phony chat screen on the left side of the page. These fabricated chat messages are comprised of randomly selected phrases that are inserted via JavaScript code.
Fortunately, because the malicious site is hosted behind Cloudflare, users who visit the page should receive a warning of suspected phishing activity, BleepingComputer notes.
In late October, Kaspersky reported observing increasingly frequently and sophisticated scams targeting Steam users since last June.