The Malwarebytes security blog has highlighted a new method that scammers are using to 'phish' Steam user's accounts. We've all has phishing emails which pretend to be from banks, government departments and e-commerce sites but it looks like scammers are also interested in your Valve Steam account and have a new method to relieve you of its ownership.
Valve has in place a protection mechanism for stopping strangers using your account but this new phishing method bypasses its so-called 'Steam Guard'. You will see Steam Guard employed when you log into a PC you haven't used before with your Steam account. If you haven't seen it before all it does it pop up a window to input a verification code which it has sent your registered email address. No code – no logging to Steam from your new computer, in theory.
However, as Malwarebytes discuss, some enterprising scammers have found a way to get around that protection. From the phishing site you have been directed to, the scammers pop up a window which looks very similar to the official Valve Steam Guard window. The significant difference is that this window has a file upload field where it asks you to navigate to your Steam folder to upload your 'SSFN' file – "As an added account security measure".
Well it turns out that any user can skip Valve's Steam Guard protection on a new, or any, computer just by copying the SSFN file. The file is in your Steam home directory, usually C:\Program Files\Steam, and is named 'ssfnX' – where X is a 19 digit number. The Malwarebytes blog indicates that users have been seeing this particular phishing technique dangled in front of them for the past month or so.
It is suggested that your Steam account may be of interest to others as they can; play all your games for free, change user email address and password, and even make money from selling off any rare in-game items from your various game inventories. However the scammer would also need your credit card 3-digit security code to make additional purchases.
Please see below for an example of how someone was targeted with this particular phishing email and the result. Valve is said to be aware of the issue but we aren't sure if anything more than telling users to be careful will be done.