Hackers Use Twitch.tv Chat to Target Steam Wallets

The security research firm F-Secure has announced they have discovered a new form of malware that has been spreading itself over links posted in the chat of the video game streaming service Twitch.tv.

Twitch, which was just picked up by Amazon for just under $1bn last month, is a website that gives 55 millions users a month the opportunity to watch streams from their favorite pros, participate in online tournaments, and interact with the gaming community unlike anything that’s come before it.

These features have made it one of the premier destinations for gamers on the net, and because of its high profile it is constantly fighting back against a barrage of scams similar to those that have plagued the Plaguelands or Barren chat in World of Warcraft almost since the game was born over a decade ago.


Photo: F Secure

By promising “items for cheap” in the main chat rooms, scammers can convince their victims into visiting dodgy webpages, many of which have drive-by-download or auto-phishing attacks attached to them, which can infect a person’s computer in a variety of creative ways.

Everything from installing spyware to forging out a backdoor can be easily accomplished with the right phishing kit, including the distribution of a new program that the researchers have christened “Eskimo”.

Eskimo’s main purpose to give the attacker access to a user’s Steam wallet, which by proxy can be connected to several different manners of online payment, including credit cards, checking accounts, and PayPal information.

Although the service can only be used to purchase games, many of the keys acquired can be sold to key sites at a bulk discount, which make the service enticing for criminals already involved in the underground sales of pirate material on the black markets.

Where things really get nasty is when the bot decides to add insult to injury, stripping game accounts of all their items and save states in order to completely cripple the victim, as well as pull as much profit as possible off the sale of the illicitly gained goods contained with the pouches and backpacks of Twitch fans everywhere.

Full details on Eskimo’s capabilities can be seen below.

“The link provided by the Twitch-bot leads to a Java program which asks for the participant’s name, e-mail address and permission to publish winner’s name, but in reality, it doesn’t store those anywhere.

Those who have fallen victim to this fake giveaway will be shown this message after entering their details. After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:

• Take screenshots
• Add new friends in Steam
• Accept pending friend requests in Steam
• Initiate trading with new friends in Steam
• Buy items, if user has money
• Send a trade offer
• Accept pending trade transactions
• Sell items with a discount in the market

This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.”