> As far as I could tell, the debugger trap was basically calling the debugger function if it detects a running debugger.
This is a fairly common trick, you just run the debugger method in a setTimeout loop since it's a no-op if the debugger isn't open. It's a common tactic used by quasi-illicit sport streaming websites that are usually filled with ads.
There's a button in Chrome Dev Tools to disable breaking on breakpoints that gets round this.
The site's dead now - the DNS record was pulled about an hour ago. But, I got a snapshot of the site and all the code before it got taken down, and I took the liberty of deobfuscating the big blobs of code:
It's fairly simple code, in the end. The phishers copied the legitimate trading site, as well as the Steam Community login page, and then added some JavaScript code to both as well as tweaking the HTML a bit. In total, three snippets of JS were added: the first detects debuggers using https://github.com/sindresorhus/devtools-detect (the bit that the original blog poster found), the second pops open the fake browser chrome and sticks the fake login page inside an iframe, and the third (running in the iframe) harvests credentials off the copied Steam login page.
They did a first pass obfuscation which replaced local variable names with gibberish and then applied some minification. Then they applied an obfuscation tool 2-3 times for each of the three code snippets, causing the code to bloat up quite considerably. However, at least two different obfuscation tools were used - one simpler one (used for the antidebugger hook) and one more complex one that looked almost like a virtual machine.
The output looks a little like the output from your link, but there's a lot of structural differences so I'm not sure it was the same tool.
Thanks for the good writeup. This technique however is not new, as others have mentioned. If you look at this phishing site on the "Similar Pages" feature on https://urlscan.io you can see a bunch of other phishing pages with similar themes (gaming / skin customisation) that employ the same phishing kit, going back five months: https://urlscan.io/result/24dc54ec-2008-4fe1-b526-4a25fca25f...
Some example domains: skinssoul[.]com, skinsnecro[.]com, dotaskins[.]eu etc...
I will vouch for the author of this article. Smart kid!
On a slightly off-topic, I think it's safe to say that trading and farming items in popular games, is responsible for cheaters, unfair practices, and in turn developers churning out more of these.
I hope we can return to games, where I pay for a title for its entertainment value, bar of all loopholes and caveats.
I'm an engineer (mostly web) and I am very tech savvy, and extremely wary on the internet of scams. However, if this site had to come me via a trusted channel, I would have fallen for it maybe 80% of the time.
I hardly ever login to steam as it's always running and while I have 2FA my password would have been stolen in this attack for sure.
I don't think teenagers and non-techy users would stand a chance against this.
1Password saved me from getting phished by “colnbase.com” because the completion hotkey didn’t work.
I still wince thinking about how close I got.
You used to just have to be moderately tech savvy to avoid scams but I find myself tricked more and more often these days. Recently it was a “click to start download” ad. I sent the page to my friends and they got fooled too.
Brick wall UX. That's the recurring lesson in security design. WebAuthn does this. The user may really, really want to give fakebank.example their credentials for the real bank but they can't. Dancing pigs, free money, urgent message from God, it doesn't matter why the user feels compelled to give away their credentials if they can't.
The fake pop-up window isn't new. This does seem a fairly well engineered version of the trick, but sites have been pulling this shit since the 90s. It has been a while since I've seen it though, but then I use an ad blocker so I suppose I wouldn't.
Yeah, and this one isn't any better in that regard. Was just examining it on a Mac, where it uses the same Windows UI style.
One should think that malware authors would have already implemented some JS library of sorts for their fake popups that fakes Windows, MacOS and Linux UI styles more convincingly.
Especially since they've applied serious thoughts to other parts of the fake, like the language chooser in the fake Steam popup. It causes a spinner for a short while and then an error popup saying something like "cannot communicate with Steam server". Nice idea to dead-end page components that they didn't want to fake more convincingly.
Unthemed Windows & Mac OS will be convincing to a lot, Linux will be pretty hard. Then again those who tinker with their computers are unlikely to fall into this trap.
This specific phishing website mimics an ingame website for Counter-Strike Global Offensive, a shooter game with the vast majority of players using Windows. Linux isn't supported at all and while the game technically runs on a Mac most people don't (or play it with Bootcamp).
I would not be surprised if 99% of the audience for this website is using Windows, the vast majority with default themes (and the ones without either won't notice this or think Windows is buggy when a popup shows the default theme).
I think the new thing is that they implemented chrome dev tools in the popup window in a convincing enough manner. This sounds far more extreme then any previous example I have heard of on the web.
Wanna bet that if I call anybody working in a bank, telling them I am from the IT department and I want them to check the new login page (done the way described in this article), they will enter there their login & password?
Well, first, phishing is not calling someone, but at our bank we train our employees monthly about phishing by testing them, and if they fail they must take a class. Serial failures could result up to termination. So, how much you wanna bet?
You're not resigned enough to be on an infosec team, and if you're not on an infosec team you probably don't know the true percentage of how many employees are failing over and over (it's a ton, it's always a ton).
Personally I'd be pretty sure that, at least at the bank I currently work at, this would rarely ever work.
I mean, other than the attempts to foster a relationship between bank staff and the tech people through things like days of letting tech people hang out and try and be helpful at branches in order to "see what real difference they could make" - and that laegely ending up being a fairly regular educational exercise for everyone involved theres two problems I see:
1. All the phone calls into branches are monitored (you may have noticed so many "we will record this call and it may be monitored" messages - they arent kidding) and if certain key words, or even key tones of voice are picked up someone from a relevant team silently dials onto the call to listen in.
2. The general process for anyone not in it interacting with any IT system is to click a button on their screen which generates a 6 digit pin and if you cant match that pin with the person talking to you and dont confirm success then alerts go out immediately.
And given the hit rate on the "generate pin" api, tellers are definitely using it properly.
So i'd be inclined to go pretty small if I where to bet at all.
Not sure why the assumption that you can social engineer your way onto any half way competent institution still persists,but nowadays, as far as I know, you have to pick the really low hanging fruit for someone to let you in so easily.
How often do they assume that non-scams are scams?
That part has always made me curious when talking about these tests, I mean I have a mostly fool proof way (type the url or navigate to it from the main page), but even including "this page is not linked from anywhere else for security, you must click the link) would probably fool people. Especially because I can imagine many orgs would actually include that.
At my previous bank, you could get your account password reset with SSN and birthday. Also, your account number (and your website login) was your social security number. And for the longest time, your password for your account online was your ATM pin. This is at a credit union in the US. I switched banks as soon as I had a significant amount of money in my account.
tbh, i'm surprised they don't have bank accounts emptied out regularly, but they're sort of small(limited to grocery store employees), so maybe its just nobody has seen it.
Apparently Cloudflare doesn't require a credit card to sign up for the free plan. Not that scammers couldn't figure out how to provide a credit card that wouldn't trace back to them.
From their perspective, how else would you track unique users on the internet? By asking for CC number, you are outsourcing the identity verification to a bank. It is certainly more 'secure' than email, what other options would you suggest?
It's a common sales technique. People are willing to give their CC details for a free plan since they are not charging anyway. But by the time your site grows, this takes away the friction of switching to a paid plan. Mailgun does the same.
Not sure what Prime is but I suspect everything you can do requires a purchase anyway? If so that could, perhaps, be reasonable.
Wouldn't ever sign up for any of the others though.
And when a free trial requires a cc that kind of implies that you have to read the fine print very carefully and actively cancel before you get "upgraded".
Doesn't exactly inspire trustworthiness, I'd research competitors closely before considering a company that does that.
What risk? That you have to wait a few days for your bank to send you a new card if it is compromised? There is no accidental charge risk as you then just call the bank and have them remove it. If your bank makes that difficult then switch to a reputable one.
1. You are actively funding thieves. This is wrong on so many levels it is bizarre.
2. All subscriptions need to be redone.
3. Even in a perfect world it is quite the hassle. And that is not taking into account the added problems if this were to be happening while you were on vacation.
Even risking only one of those is a complete dealbreaker.
This is an institutional problem. Since banks are so unreliable that information leaks, identity theft, and fraudulent charges are expected, they have this strange relationship with the customers, who do not treat their CC information as secret (not that it would help). It is sort of a cyclical thing, maybe.
Yes, but the only reason for that is because banks have convinced enough people to accept it.
In the end we have a deeply unethical and immoral system for the benefit of banks and to the cost of society. I don't subscribe to that.
There is no reason to be careless with your cc even if there is little risk to you personally. Subscribing to a free service that requires a cc is definitely being careless.
A good solution is to force popup windows to open as a tab in the current window, so that the address bar is absolutely always in the same place. This distorts the popup window because it can't change size but that's a small price to pay. I find it annoying that any website should open a new window anyway. I'm not sure if this is possible in Chrome, or if so how to do it, but in Firefox the setting is browser.link.open_newwindow.restriction.
It would also help if Windows had proper contrast between the title bars of active and inactive windows, since then it would be obvious there's a problem from the two simultaneously active top-level windows. The contrast was excellent from at least Windows 3.1 through to Windows XP (colour vs greyscale) but in Windows 7 it dropped dramatically, and it's almost indistinguishable in Windows 10. Microsoft seems to have an endemic problem of redesigning visual styles for the sake of it, even if it makes things worse, presumably to justify the wages of full-time designer staff.
If you go to the page, you'll notice that they are not displaying a popup. Instead, they have recreated the entire UI experience, and if you're on Windows the only way to tell that something fishy is going on is if you try to move the window and you'll notice you can't move it outside the bounds of the parent Window.
It's incredibly well done, and I was almost fooled by it when I went to the web site. If I hadn't been using Qubes OS where my dispvm's are using red borders, I probably wouldn't have noticed at all.
But that's exactly my point! If you have set your browser to make all popups appear as a tab taking up the whole of your existing window (and adding an entry to your tab list), and then a fake one looks like a separate window, then it will stick out as fake immediately. For me, a browser-like window within the boundary of my actual browser is so foreign that I wouldn't even consider the possibility that it's real.
One of the benefits of being a long-time Linux desktop user who uses some non-standard window manager and a motley mix of Gnome, KDE, and "standard" X11 apps; good luck guessing from my browser string what a new window looks like.
Currently I'm on a tiling manager, and the "window decoration" is a three-pixel thick blue line, which even if you draw it in the middle of a web page is still wrong, because your supposed new window didn't tile correctly.
On those rare occasions where someone gets through the various NoScript-type protections I tend to run, it's amusing to see a Windows screen pop up. Yes, sir, I'll get right on running Windows Update on my Ubuntu system. (Do I have to install Wine for that, or...?) I've also seen some Windows-styled screens pop up on my Android browser on occasion... yeah... not terribly convincing there guys.
Browsers should implement some mechanisms to combat this type of phishing. I've gone ahead and reported this as a phishing site on Google safe browsing and other services.
It's possible for programs to make windows that aren't in the taskbar though. I'm not entirely sure I would know/remember whether this ever happens for a browser.
> Browsers should implement some mechanisms to combat this type of phishing.
combatting this doesn't require browsers - you can have a passwordless login mechanism (like email links!).
Or, if browsers do indeed want to combat issues such as these, we'd need support for client-side certs (so you can login using a key-pair!), rather than username/password.
Or, rely in a tool like lastpass to consistently enter the credentials (which, presumably, will check the domain first and if it doesn't match, won't let you put the credentials in).
You can see in the screenshots that the author indeed uses LastPass.
No autofill suggestion by your password manager (even your browser's built-in one) in the login fields would be a dead giveaway in this case.
Unlike with passwords, where the attacker has to go to the extra step of clicking "I forgot my password" in order to convert access to the email inbox into access to all the user's services.
OAuth and similar technologies are a blessing and a curse. Users are too willing to use one site’s login credentials to log into another site, and this willingnessis a phisher’s dream come true. This whole class of problems would go away or at least be minimized if there were fewer of these “log in with Facebook” and “log in with your google account” opportunities to exploit.
In this case it looks like the 3rd party service required deep integration with Steam so it was probably unavoidable, but many sites use OAuth as a crutch because they don’t want to bother butlding their own sign-in system.
I’ve stopped using services if they don’t provide an option to create a site-specific username and password. Facebook login the only way to sign up for your site? How about no.
Doesn't OAuth and similar work by redirecting you to the login page?
I don't recall ever seeing a version that opens a popup to get you to login. This would immediately raise my suspicions on this basis (popup windows can be controlled by the opening website to a large degree!).
I don't recall ever seeing a version that
opens a popup to get you to login.
You'll often get a login pop-up if you pay with paypal - they call it the mini-browser in their documentation [1] - and I guess the intention is you don't have to leave the merchant's website in you main browser window.
I think this was a bad option they offered in the past and now they are stuck with it. Notice the alert at the top of that page:
> Important: Adaptive Payments is now a limited release product. It is restricted to select partners for approved use cases and should not be used for new integrations without guidance from PayPal.
In other words, popup loading another website is just wrong and should be avoided by both website makers and their users.
At most 10% of the target audience (and that's a generous upper bound) are going to have the deep understanding of web technologies that is required to make those deductions. And even if they do, not all of them are going to realize this in that particular moment. (For instance, it didn't immediately occur to me while reading the article.)
Oh, I wasn't expecting people to make the deduction I made.
There was a time when popups were considered malicious by nearly everyone (my mother would have seen this as suspicious during that time).
Thanks to popup blockers this feeling seems to be fading, and I see no reason whastoever to not cultivate it again.:
"Unless you are already logged in to a website you trust, any popup means that this website cannot be trusted. Contact someone you trust to check it if you really really need to use that site."
OAuth flow can certainly open a popup (or new tab if that's how your browser is configured). After you login it will use a redirect but that might be hidden from the user.
Pop-up blockers don't work when the user clicks "login".
It's not suspicious at all and I would say best practice. In any case, you always need to make sure the domain is trusted. That's a lot easier if your browser puts all windows in tabs.
Anyway, this is where desktop uniformity hurts. Using i3wm it would be obvious to me what's happening, since window decorations would be different and new browser windows open in a stack, and not on top of other windows.
> "The whole thing was just a drawn up window inside the phishing website!"
This reminds me the "Phishing Alert Toolbars" section from Ross Anderson's "Security Engineering" book on what he calls a "picture-in-picture website" [0]
Tangentially related (and an absolutely shameless self-promote): a colleague and I recently described a repeatable approach and methodology (including example) for malware deobfuscation in a recent conference talk. Full narrated video of the talk is here [1], deobfuscation portion is roughly the middle third.
For what it's worth, I noticed that the login does not load up on IE11 and Edge, although it loads up for Chrome, Firefox, and Opera and will label the fake pop-up window with said browser name.
Depends on the browser, but in Firefox and Chrome you can certainly pop a window using a click event. Assuming a JS library was clever enough to simulate the OS-chrome believably it could be easy enough to trick people.
This is a fairly common trick, you just run the debugger method in a setTimeout loop since it's a no-op if the debugger isn't open. It's a common tactic used by quasi-illicit sport streaming websites that are usually filled with ads.
There's a button in Chrome Dev Tools to disable breaking on breakpoints that gets round this.