- Joined
- Aug 16, 2005
- Messages
- 24,532 (3.77/day)
- Location
- Washington
| System Name | Venslar |
|---|---|
| Processor | I9 13900ks |
| Motherboard | EVGA z690 Dark KINGPIN |
| Cooling | EK-AIO Elite 360 D-RGB |
| Memory | 64GB Gskill Trident Z5 DDR5 6000 @6400 |
| Video Card(s) | MSI SUPRIM Liquid X 4090 |
| Storage | 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400 |
| Display(s) | 3x Gigabyte M28U (4k IPS) |
| Case | Lian Li o11 Evo Dynamic White |
| Audio Device(s) | Moondrop Kato's on Schiit Hel 2e |
| Power Supply | Bequiet! Power Pro 12 1500w |
| Mouse | Lamzu Atlantis (White) |
| Keyboard | DROP CTRL HP Lavender, Moondrop Tessence, StupidFish foam, Everglide pads |
| VR HMD | HTC VIVE |
| Software | Windows 11 x64 Pro |
| Benchmark Scores | I dont have time for that. |
Tonight I received some messages from fellow members and friends from other walks of life about my steam account.
Apparently I had been sending messages asking them to click on a link and vote for an e-sports team.
At first, I was initially confused about this. I utilize steam guard and 2FA and have for years. However, several people had reached out, and with screen shots. So this was not something that was a case of mistaken identity.
Lets dig in.
First thanks, if you are one of the TPUers that reached out. You were all some of the first and there are a few of you.
Lets take a look at account security first.
Steam uses a few layers for a few different things. In the case of account security, we have steam guard.
.
Steamguard, is a 2FA based system that sends a code when a machine it is not familiar with requests account access. It is important to understand how systems like this work.
Generally:
A PC is given a UniqueID like an authentication token. This is issued after a successful login with the addition of a 2FA key. Once the token is generated that login instance is "trusted" and the login is perpetual until:
The token is invalidated
The session is manually logged out (the token is force expired)
The token naturally expires
The token is likely generated based off of multiple truths. Such as a machine or system Id, an installation Id, geography etc. When one of these changes enough the token is invalidated and account re-authentication is required.
Steamguard however, as an additional barrier of entry you can put in place. After all. Emails can be hacked. So, steamguard allows you to utilize the steam app as the primary 2FA key generator if you have it installed on your phone. Thankfully, thats exactly what I do.
So lets take a peek at how I think I got got today.
We sit back and realize, that all of the communication I am getting is outside of official steam channels. This is important, so lets take a look at steam.
I have two primary modes of login with steam. My desktop, and my phone. Since I was on and have access to both, it was odd to me that I did not notice any odd behavior.
A quick screenshot shows me that it is infact me.
Odd, I received no 2FA request, or email about account access. Its also odd that I received no response from these people on my desktop or my phone, when they responded back.
Lets take a look.
This makes more sense, its clever. After outreach, it appears the accounts are then blocked. This prevents me from receiving the notifications on my desktop or phone.
Steam does not allow users to investigate connected accounts or devices on their accounts, however while I do not have a screenshot of this I did notice machines I did not recognize in my family shared library. All were promptly removed.
Steam however, DOES allow us to deauthorize all devices connected. We will do this before the password change.
After the de authorization everything was booted. At this point we reset the password. Of course we will make sure that all of the information such as email is correct first.
Understandably it is. This is important to know.
After the reset, and reconnect to 2FA I log back in and do the responsible thing and message everyone that appeared affected. Save for the people I was already in contact with on the outside.
By blocking the users, it gives me a list to work with in reverse, this is actually nice of them, because steam does not have a recent chat history in regards to "recently sent messages". So if the users were not blocked I would not have known who was affected.
Of course, if they did not do this, then I would have received the messages and this would have been over sooner.
So what about purchase history and account info?
Nothing. None of my account settings are modified either. This brings us back to what I mentioned about 2FA alerts. If you wanted to make a purchase, I would get emailed. You wouldn't want that so you would need to change the email, you would also need to do this if you didn't want me to gain access to my account. However 2FA prevents this because you must always authenticate to change this information.
This leads me to the point of compromise, multiple services on the net utilize steam as a tie in service. Even popular browser extensions. While things like browser extensions are obviously something I avoid, this breach given the information we know, points to a breach of an extension service. This is further backed up by the fact that it would need to have a current persistent connection or risk tripping 2FA. I am guilty, of having things linked to steam, Uplay for one, origin as well I believe etc etc. Others may have other things, such as Discord.
What is the point of the link though? Lets take a look at what it was that I was trying to spread.
Our link is hxxps://intelextremeseason[.]com/?r=Team-TryHard
The site has a fancy video of some e-sports tournament playing, and some official intel stuff.
Lets take a further look.
Our cert is valid and pretty new. About two days old. Provided by a reputable company.
The "Got it" link takes us to a redirect however that is not the origin site.
When we click on this, we are brought to hxxps://authextremeseasons[.]com
It is here, that we see why the message is being sent. In this case it is a credential farm attempt.
We are given a fake steam login page complete with a fake SSL picture.
The URL is actually inserted manually
Lets take a look at our domains.
It appears both were registered yesterday at namecheap
A bit of realistic is sprinkled in however.
The intel.gg link on the primary site and some of the steam links forward to their actual REAL addresses. They also belong to the REAL companies.
Both sites are behind cloudflare and whois protection.
My job isn't over yet, I'm now going to go unlink my steam account from a bunch of stuff, and rotate credentials on whatever its connected too. In my case THAT is where the root breach took place.
For the rest of you, if you get something like this from anyone practice good hygeine and dont click. Stay safe out their.
Apparently I had been sending messages asking them to click on a link and vote for an e-sports team.
At first, I was initially confused about this. I utilize steam guard and 2FA and have for years. However, several people had reached out, and with screen shots. So this was not something that was a case of mistaken identity.
Lets dig in.
First thanks, if you are one of the TPUers that reached out. You were all some of the first and there are a few of you.
Lets take a look at account security first.
Steam uses a few layers for a few different things. In the case of account security, we have steam guard.
Account Security Recommendations - Account Recovery - Knowledge Base - Steam Support
Article "Account Security Recommendations"
support.steampowered.com
Steamguard, is a 2FA based system that sends a code when a machine it is not familiar with requests account access. It is important to understand how systems like this work.
Generally:
A PC is given a UniqueID like an authentication token. This is issued after a successful login with the addition of a 2FA key. Once the token is generated that login instance is "trusted" and the login is perpetual until:
The token is invalidated
The session is manually logged out (the token is force expired)
The token naturally expires
The token is likely generated based off of multiple truths. Such as a machine or system Id, an installation Id, geography etc. When one of these changes enough the token is invalidated and account re-authentication is required.
Steamguard however, as an additional barrier of entry you can put in place. After all. Emails can be hacked. So, steamguard allows you to utilize the steam app as the primary 2FA key generator if you have it installed on your phone. Thankfully, thats exactly what I do.
So lets take a peek at how I think I got got today.
We sit back and realize, that all of the communication I am getting is outside of official steam channels. This is important, so lets take a look at steam.
I have two primary modes of login with steam. My desktop, and my phone. Since I was on and have access to both, it was odd to me that I did not notice any odd behavior.
A quick screenshot shows me that it is infact me.
Odd, I received no 2FA request, or email about account access. Its also odd that I received no response from these people on my desktop or my phone, when they responded back.
Lets take a look.
This makes more sense, its clever. After outreach, it appears the accounts are then blocked. This prevents me from receiving the notifications on my desktop or phone.
Steam does not allow users to investigate connected accounts or devices on their accounts, however while I do not have a screenshot of this I did notice machines I did not recognize in my family shared library. All were promptly removed.
Steam however, DOES allow us to deauthorize all devices connected. We will do this before the password change.
After the de authorization everything was booted. At this point we reset the password. Of course we will make sure that all of the information such as email is correct first.
Understandably it is. This is important to know.
After the reset, and reconnect to 2FA I log back in and do the responsible thing and message everyone that appeared affected. Save for the people I was already in contact with on the outside.
By blocking the users, it gives me a list to work with in reverse, this is actually nice of them, because steam does not have a recent chat history in regards to "recently sent messages". So if the users were not blocked I would not have known who was affected.
Of course, if they did not do this, then I would have received the messages and this would have been over sooner.
So what about purchase history and account info?
Nothing. None of my account settings are modified either. This brings us back to what I mentioned about 2FA alerts. If you wanted to make a purchase, I would get emailed. You wouldn't want that so you would need to change the email, you would also need to do this if you didn't want me to gain access to my account. However 2FA prevents this because you must always authenticate to change this information.
This leads me to the point of compromise, multiple services on the net utilize steam as a tie in service. Even popular browser extensions. While things like browser extensions are obviously something I avoid, this breach given the information we know, points to a breach of an extension service. This is further backed up by the fact that it would need to have a current persistent connection or risk tripping 2FA. I am guilty, of having things linked to steam, Uplay for one, origin as well I believe etc etc. Others may have other things, such as Discord.
What is the point of the link though? Lets take a look at what it was that I was trying to spread.
Our link is hxxps://intelextremeseason[.]com/?r=Team-TryHard
The site has a fancy video of some e-sports tournament playing, and some official intel stuff.
Lets take a further look.
Our cert is valid and pretty new. About two days old. Provided by a reputable company.
The "Got it" link takes us to a redirect however that is not the origin site.
When we click on this, we are brought to hxxps://authextremeseasons[.]com
It is here, that we see why the message is being sent. In this case it is a credential farm attempt.
We are given a fake steam login page complete with a fake SSL picture.
The URL is actually inserted manually
Lets take a look at our domains.
It appears both were registered yesterday at namecheap
Code:
WHOIS LOOKUP
intelextremeseason.com is already registered*
Domain Name: INTELEXTREMESEASON.COM
Registry Domain ID: 2579601826_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2020-12-18T22:56:10Z
Creation Date: 2020-12-18T22:50:44Z
Registry Expiry Date: 2021-12-18T22:50:44Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: HOPE.NS.CLOUDFLARE.COM
Name Server: NEWT.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-12-20T02:51:33Z <<<
Code:
authextremeseasons.com is already registered*
Domain Name: AUTHEXTREMESEASONS.COM
Registry Domain ID: 2579416616_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2020-12-18T11:29:03Z
Creation Date: 2020-12-18T11:25:58Z
Registry Expiry Date: 2021-12-18T11:25:58Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: DAMIAN.NS.CLOUDFLARE.COM
Name Server: SREENI.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-12-20T03:33:00Z <<<A bit of realistic is sprinkled in however.
The intel.gg link on the primary site and some of the steam links forward to their actual REAL addresses. They also belong to the REAL companies.
Both sites are behind cloudflare and whois protection.
My job isn't over yet, I'm now going to go unlink my steam account from a bunch of stuff, and rotate credentials on whatever its connected too. In my case THAT is where the root breach took place.
For the rest of you, if you get something like this from anyone practice good hygeine and dont click. Stay safe out their.
Attachments
-
1608439054901.png
