Trojan-filled Chrome extensions for Steam boil off gamers' assets

Don’t get scalded by this scam, you canny folk


Miscreants are slinging fraudulent Chrome extension trojans at gamers that, if installed, will empty victims’ Steam inventory.

Security researcher Bart Blaze warned that supposedly "helpful" Chrome extensions for Counter-Strike: Global Offensive (CS:GO) are actually scamware.

“Instead of being able to change your CS:GO Double theme, your items from your inventory are getting stolen; instead of trading with X or Y person you trust, the items go to the scammer rather than whoever you're trading with,” Blaze warned in a blog post on Tuesday.

The rogue extensions pose as “CS:GO Double Withdraw Helper”, “Csgodouble AutoGambling Bot” among other browser add-on themes. Three of the four rogue extensions were still in the Chrome Web Store on Wednesday morning despite several reports.

El Reg alerted Google through its PR team about this apparent malfeasance. The Steam user named Delta seemingly behind the alleged scam was already banned (again, for at least the second time) even before we fired off an email.

Nonetheless, copycat or follow-up scams are a real possibility so caution is advised. Those hit can remove the dodgy software from their systems by simply removing the dodgy extension(s) from Chrome, a much easier process than would be the case if a trojan software had been installed on a compromised system.

“SteamStealers are (unfortunately) nothing new. Criminals are getting craftier and better in attempting to steal items or account credentials (along with other credentials) from unsuspecting users,” Blaze concluded.

“As opposed to actual malware or SteamStealers being loaded on your machine, this time it's a browser extension, thus be wary of anything that looks too good to be true and think twice before you install anything, whether that be an extensions, a 'screensaver' or images that look like you,” he warned.

Other gaming security experts said the latest scam represented an evolution in tactics by fraudsters while playing down the likely significance of the incident.

“It's certainly novel, but I'm not sure how many people would be affected – the gambling/lottery scene can be a bit niche and they have entire groups of websites dedicated to nothing but pages of scam reports/community reputation alerts,” Chris Boyd, a senior malware intelligence analyst at Malwarebytes told El Reg.

Blaze, a malware researcher at security firm Panda Security, disagreed with this assessment and said that gambling and gaming on Steam are a potentially powerful lure for crooks to exploit.

“There's a LOT of betting going on for Steam items and in particular for CS:GO – in fact, there's quite a lot of money involved,” Blaze told El Reg. “A user may be tempted to install any of these extensions for the following reasons: they'd like to change their theme on the CS:GO double site, or they'd like to use a bot to bet rather than place all the bets themselves.”

The appeal is that an extension could do all the work of gambling for a user automatically, freeing their time up to either sip coffee or play games as they please.

“It’s hard to say indeed how many users are affected, especially since the extensions were also re-uploaded at some point by the malware creator,” Blaze admits.

Interest in the scam is however evidenced by the creation of two Reddit threads discussing the topic (here and here).

Steam, the gaming platform developed by Valve Corporation, has an FAQ offering top tips on staying away from spyware or adware while gaming online here. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019