Fraudsters are hunting gamers before the Halloween sale

Fraudsters are hunting gamers before the Halloween sale
Fraudsters are hunting gamers before the Halloween sale

Kaspersky researchers have reported on their findings that certain phishing websites attempt to steal account credentials from popular gaming platform users. In particular, they found websites that would imitate an authorisation page on the Steam website to obtain a user’s login name and password. The fraudsters used a carefully crafted copy of an interface from the legitimate website before the platform’s traditional Halloween sale. Once a user attempts to perform any action on a fraudulent site, they stumble upon a browser window to enter their username and password. The domain name in the address bar seems legitimate, so this would not raise concerns. The criminals also attempt to request a confirmation code that the user receives via email or through the legitimate app.

Steam is definitely not the only gaming platform being targeted by cybercriminals. In 2019 we saw 229,983 attacks on EA’s Origin and, but there has also been a rise in criminals’ interest in Steam particularly. In H1 2019, Kaspersky saw around 58,000 attacks from websites disguised as the Steam platform, and this number more than doubled in H2, reaching 131,000 – and the year is not even over yet. Demand is only set to increase in the final quarter of the year. Fraudsters love to exploit sales on all kinds of gaming platforms, as any that have strict time limits make gamers less attentive to details and therefore more willing to fall for a ruse. We hope gamers benefit from the sales deals as much as possible during the upcoming holiday period. Just be careful when clicking on banner ads and third-party links, especially during the period of ‘special offers’ as such phishing is on such a steep rise.” – said Mikhail Sytnik, a security researcher at Kaspersky.

To avoid falling for phishing tricks:

  • Only use official gaming apps, websites and platforms, such as Steam’s official website store.
  • If you are not sure if a website is genuine and secure, never enter your credentials or personal information. If you think that you have may have entered your login and password on a fake page, immediately change your password and call your bank or other payment providers if you think your card details may have been compromised.
  • Use a security solution with behaviour-based anti-phishing technologies, such as Kaspersky Security Cloud or Kaspersky Total Security, which will warn you if you are trying to visit a phishing web page.
  • Never use the same password for several websites or services, because if one is stolen, all your accounts are vulnerable. To create strong hack-proof passwords without having to face the struggle of remembering them, use password managers, such as Kaspersky Password Manager.