A fake Steam skin giveaway site has been created that states it gives away news skins every day, but in reality it just steals your login credentials.
If a user goes to the promoted site they will be shown a pretend ‘$30,000 giveaway’ promotion that contains 26 days of free skin giveaways for Counter-Strike: Global Offensive (CSGO).
This phishing landing page also has a fake running chat screen on the left hand side of the page.If a user falls for the scam and clicks the “Sign in via Steam” button, it will pretend to open the login form from Steam, but will ultimately display a fake Steam login form. While this screen looks like the normal Steam login, any login credentials that are entered will be sent to the attackers instead.
Fake Steam Skin Giveaway Site Steals your Login Credentials – by @LawrenceAbramshttps://t.co/L3GCtQgcR2
— BleepingComputer (@BleepinComputer) December 1, 2019
Password stealing malware and phishing attacks are a challenge for enterprises and consumers alike. Password Stealing techniques usually target the weakest link when it comes to security – the human being. Due to the high incidence of password reuse, once a set of login credentials have been compromised, it’s very likely that attackers will have access to many more of the user’s accounts. While a full solution includes eliminating password reuse, the first step is MFA. If users have MFA implemented on all accounts, the problem of compromised credentials becomes far less significant as the attacker cannot bypass the second or third layers of security in order to breach the account.