The guys and girls over at Malwarebytes have uncovered a new method of Steam account phishing which gets around Valve’s own Steam Guard service. Valve’s Steam Guard service is a serviced designed by Valve to make sure that people’s account credentials aren’t being stolen by other people and using them on their own computers. This both acts to protect users’ accounts and acts as a sort of level of DRM to protect the content from people unauthorized to use it. From my expereince, Valve’s Steam Guard has worked quite well and always sends me an email whenever I log in from a new machine or one that isn’t recognized by Steam’s service. Steam Guard essentially sends you an email with an authorization code after a pop-up comes up within Steam itself asking for that code that was sent to your email.
These phishers are using this system, that most Steam users are familiar with in order to create fake Steam sites that look very much like what you would see if you used Steam and got a Steam Guard notification. They do this by sending you a message over Steam or via an email and get you to go to their phishing site. Once there, you will be prompted to provide them with your SSFN file, which is a bit unlike most phishing schemes where they ask for your username and password. But, since Steam Guard exists, this information simply isn’t enough and they need your SSFN file. What is the SSFN file? Well, it’s the file that enables Steam Guard to authenticate your account and ensure that your computer is an authorized one. If you delete your SSFN file, you will be forced to re-authenticate your computer via Steam Guard and get the email code and everything all over again.
The phishers have successfully found a way to steal users’ SSFN files by simply asking them to upload it to their site and at that same time use the SSFN file on their systems in order to gain full access to the users’ account. Why is this important? Well, many users, myself included, have hundreds of dollars worth of games on their account and those accounts could be sold to other people for a lot of money if properly stolen. So, naturally, there are a lot of people searching for new methods of phishing and getting around Steam’s own protections to prevent such bad things happening to their users. Hopefully Valve is aware of the issue now and makes it impossible to phish someone for their account SSFN file to steal their account and either use it for themselves or to sell it off to the highest bidder.