Monday, November 02, 2009

Don't Get Caught In This Steam Phishing Scam - How Phishers Work

So I just got this mail in my inbox:

Needless to say, I was pretty surprised, I didn't know Steam accounts could expire. Sure enough the e-mail looks legit, it's mailed from, didn't get caught by GMail's spam filter, and the corporate footer looks clean enough. If you have an eye for detail you might notice that there is a space missing here: "click here,login".

Let's check where this link leads to:;state='&gt;<script%20src%3dhttp://></script%20src%3dhttp://>

"" certainly looks okay, but now it becomes clear that the state variable has been tampered with. It certainly points to an external script, and putting it in the "phising" folder really doesn't look good... let's open the link. Here's how it looks in Chrome:

And sure enough, the page looks messed up. Let's look at the generated html source:

The phishers have now a fully working script tag injected in the source. Let's see what's in there:

Basically, the phisher is replacing the document body with an iframe which points to an evil url. Let's take a look at that url:

Sure enough, it's a fake Steam login page.

Now you might have noticed that the phisher's attack method wasn't working in my Chrome. Using Firefox, on the same machine, opening the URL from the mail immediately gives:

So, what have we learned?

  • Always check mails for spelling mistakes.
  • Always check mail and browser URLs for suspicious content.
  • If available: trust your spam/phishing filter.
  • If you're asked to re-enable your account and you get redirected to a general login page (like the fake on we saw), you can always open a new tab and go to (or other website) by typing it yourself and login that way.
Which actions should be taken?
  • Chrome, Firefox and others should detect this evil site as a phishing site (they detect most of them already, but new ones take a while before they get picked up).
  • GMail's spam filter failed here, I reported the e-mail as a phishing scam.
  • Steam has an XSS exploit in their site which they should fix as soon as possible. Never say that "XSS exploits aren't that dangerous"!