Steam Users Looking for Item Trading Shortcut Find Malware Instead

No good deed goes unpunished. Earlier this week, Valve took measures to protect Steam users from being hacked, but scammers are already using these new protections to lure gullible players into new traps.

When people talk about PC gaming today, they're talking about Steam. With over 125 million registered users, Steam is by far the biggest gaming community and storefront in the PC gaming world. eSports games like Dota 2 and Counter-Strike: Global Offensive are played exclusively through Steam for prizes worth millions of dollars.

With so much money and so many people flowing through Steam, it's a natural place for scammers take advantage of people. Valve estimates that 77,000 accounts get hacked every month, with victims including "professional CS:GO players, reddit contributors, item traders, etc."

To deal with the problem, Valve introduced a new trading escrow system to protect users from hackers who empty their accounts of valuable items, but Malwarebytes has found that scammers are already spoofing that system, and are tricking users into downloading malware.

Some Steam games allow players to buy, sell, and trade in-game items, which can be sold on the Steam marketplace for real-world money. Some rare items, like colorful paint jobs for guns in Counter-Strike: Global Offensive, can sell for thousands of dollars. If someone owns these items in their Steam account and a hacker gets control of it, they can move those items to their own accounts and sell them later.

The Steam trade holding system directly targets hackers' ability to offload items from hijacked accounts. If an account doesn't have secondary security authentication turned on and isn't sending items to a long-term (presumably real-life) friend, those items are going to sit with Valve long enough for someone to report their account has been compromised. This change has been met with frustrated users, 28,000 of whom signed a petition to end it.

This security measure comes at the expense of usability. Gamers who can't access a smartphone with Steam's second factor authentication app, for example, will have to sit through the waiting period when they try to send an item to a friend. It just takes a little patience, but it's still a nuisance that the hackers themselves are happy to exploit.

Trade holds went into effect on December 9, and that same day, Malwarebytes discovered an illegitimate website spoofing the Steam trading interface. The spoof is based on CSGO Shuffle, a popular site for trading weapon skins outside of Steam. The spoofed site looks and functions exactly like the Steam trading window, and warns users that they will be subject to an escrow hold of their items. When users agree, a program called "Escrow.exe" downloads to their computer. Malware analysis by Payload Security says that this program is a well-known malware called Backdoor.NanoCore.

The spoofed Steam trading website's URL was registered on December 3, just days after Valve announced Steam's trade holds. With these fast-moving, smart schemes coming from the malware community, the safest way to trade items is inside the Steam application itself.