Today, I was contacted by a friend on Steam requesting I ‘vote’ for him in an upcoming CSGO tournament. I found this weird as the friend in question wasn’t an avid CSGO player. Wanting to help out a friend I navigated over to a convincing tournament website:

Phishing link sent by friends Steam account.

Fake website mentioning ESL and CSGO specifically.

Two things did stand out on the website; the first was teams?r=gamescsgo but no further indication of a ‘Games’ section or drop down. The second was the mention of ESL (which is a legitimate CSGO league and where this privacy bar was stolen from). Clicking on his ‘Team’ requested me to login via Steam, this is not uncommon as a lot of services request access to Steam to validate single entries.

Update – After doing further digging, the website in question is stolen from United.gg. I have contacted them so they are aware.

Suspicious ‘Sign in through Steam’ box on a different domain when clicking vote.

On the next page you will see a typical Steam login but you will notice it says ESEA and not ESL. You will also notice that this ‘popup’ is unable to leave your windows as its a fake popup created with JavaScript to mirror a real Steam login.

Fake ‘popup’ mentioning ESEA.

Reviewing the code; I was able to see the website reaching out to multiple external sources for its assets. I was also able to see a local file running on the domain, 00c196f.js which was heavily obfuscated. Running the file/domain through VirusTotal also came back with only a single malicious results. I’ve reported both websites and the file to VirusTotal and Google Safe Search. I’ve also saved the JavaScript file in question which I am currently deobfuscating and can provide on request.

VirusTotal flagged malicious by one vendor.

It should be noted that during this investigation I reached out to the friend in question on a separate channel; We are able to get him logged back into his account, removed the malicious threat actor and restore all security questions/passwords. We also removed all present device locations to make sure nothing legacy existed. He told me that most of the contacts on his friends list had been blocked after each phishing attempt. This was probably to prevent notifications to him. He also had Steam Guard in place and was not prompted at any point. Finally during further hardening we found an API request point to localhost from the Steam API which was deleted.