Hackers Planted a Steam Game With Malware To Steal Gamers' Passwords 27
Valve removed the game PirateFi from Steam after discovering it was laced with the Vidar infostealer malware, designed to steal sensitive user data such as passwords, cookies, cryptocurrency wallets, and more. TechCrunch reports: Marius Genheimer, a researcher who analyzed the malware and works at SECUINFRA Falcon Team, told TechCrunch that judging by the command and control servers associated with the malware and its configuration, "we suspect that PirateFi was just one of multiple tactics used to distribute Vidar payloads en masse." "It is highly likely that it never was a legitimate, running game that was altered after first publication," said Genheimer. In other words, PirateFi was designed to spread malware.
Genheimer and colleagues also found that PirateFi was built by modifying an existing game template called Easy Survival RPG, which bills itself as a game-making app that "gives you everything you need to develop your own singleplayer or multiplayer" game. The game maker costs between $399 and $1,099 to license. This explains how the hackers were able to ship a functioning video game with their malware with little effort.
According to Genheimer, the Vidar infostealing malware is capable of stealing and exfiltrating several types of data from the computers it infects, including: passwords from the web browser autofill feature, session cookies that can be used to log in as someone without needing their password, web browser history, cryptocurrency wallet details, screenshots, and two-factor codes from certain token generators, as well as other files on the person's computer.
Genheimer and colleagues also found that PirateFi was built by modifying an existing game template called Easy Survival RPG, which bills itself as a game-making app that "gives you everything you need to develop your own singleplayer or multiplayer" game. The game maker costs between $399 and $1,099 to license. This explains how the hackers were able to ship a functioning video game with their malware with little effort.
According to Genheimer, the Vidar infostealing malware is capable of stealing and exfiltrating several types of data from the computers it infects, including: passwords from the web browser autofill feature, session cookies that can be used to log in as someone without needing their password, web browser history, cryptocurrency wallet details, screenshots, and two-factor codes from certain token generators, as well as other files on the person's computer.
Device Segregation for the win. (Score:1, Troll)
Use one laptop for banking, investing, and shopping.
Use a different computer for gaming, news-reading, social media, and casual browsing.
This is simply a matter of digital hygiene. Everyone should do it.
Wasteful. (Score:2, Offtopic)
Running VMs is a better solution. Generating e-waste isn't something to celebrate.
Re: (Score:1)
Qubes OS is the way.
Why do you presume "ewaste" in this use case? (Score:2)
Computer users serious enough to visit Slashdot will have at least one ready spare backup machine which was long paid for even if they bought it new. (My T61 and X200 Thinkpads owe me nothing as they were assembled from wrecks when that was worth doing.)
VM are fine but it's often convenient to have more than one machine so I and many others do. I would never be only one deep on computers because downtime is not acceptable, and would never carry my main machines (notebooks or otherwise) since I don't carry a
Re: (Score:2)
Does not have to be e-waste. I use my old Gaming PC as 2nd computer. Well, if MS was not in the picture, but a lot of these older machines will likely become e-waste soon. Mine will just move to Linux and get Win11 in a VM with an emulated TPM for those cases I need to use windows, but not everybody has the skills to make that work.
Re: Wasteful. (Score:2)
It's not a waste if you're using all of the devices?
Besides, VMs have their own problems not everyone sants to deal with.
Re: (Score:2)
Re:Device Segregation for the win. (Score:5, Insightful)
Yeah, that approach kind of stopped working well years ago.
More and more websites just don't have a dedicated account feature anymore. You need to use a Social media account to log in, and without logging in, that website content might range from limited to all-but-inaccessible.
"Use a throwaway account", you'd say. What, for Steam and all my games? Or GOG, or Epic Games Store, or EA, or Ubisoft, or whatever MS has for games these days (XBox Live or whatever)? If my Steam account, with all its 1000+ games is compromised, then it doesn't matter much, does it?
Maybe we should stop spewing oversimplified solutions that work for 0.01% of people.
Re: (Score:2)
Re: Device Segregation for the win. (Score:2)
I have never seen a site that required a social media login and no site that would have such a requirement is important enough for me to create a social media account.
Gamers are the worst offenders about complying with any bullshit because they have confused their wants with needs. There is no game you NEED to play. This is why video game companies constantly abuse their users. The consumers are such addicts they will put up with anything to get their fix.
Re: (Score:2)
There is no game you NEED to play. This is why video game companies constantly abuse their users. The consumers are such addicts they will put up with anything to get their fix.
I have a little hope that things are changing. So many game studios are crashing and burning right now because the consumers got tired of half finished games, exploitative micro transactions, as well as content they have no interest in. It'll be interesting to see what the next five years of gaming looks like.
Re: (Score:2)
Yeah, that approach kind of stopped working well years ago.
More and more websites just don't have a dedicated account feature anymore. You need to use a Social media account to log in, and without logging in, that website content might range from limited to all-but-inaccessible.
"Use a throwaway account", you'd say. What, for Steam and all my games? Or GOG, or Epic Games Store, or EA, or Ubisoft, or whatever MS has for games these days (XBox Live or whatever)? If my Steam account, with all its 1000+ games is compromised, then it doesn't matter much, does it?
Maybe we should stop spewing oversimplified solutions that work for 0.01% of people.
Erm... none of my important accounts require a social media account... Not my bank, doctors surgery, insurance providers, superannuation, and definitely not any government services.
I strongly suspect you're the 0.01% of people here who's tied their life to social media.
Besides that it's good advice to have one secure device for important things... It doesn't even need to be a different device, it can be a dual boot laptop as I run, Linux for doing secure things like my citizenship application or banki
Re: Device Segregation for the win. (Score:1)
One PC, one administrator account and no backups. Grow up.
Re: (Score:2)
Backups will hardly help you when some hacker steals your private keys and drains your BTC wallet dry.
Device and OS Segregation is easy. (Score:2)
I do both and it's nearly effortless. This is Slashdot so who doesn't have at least one spare old machine or other ways (like live booting an OS for comms and leaving the main for gaming) to avoid using one OS for everything. Qubes, VMs etc are also useful options.
Using older machines for non-gaming use keeps them out of the ewaste stream rather than filling up landfills.
There's no need for clutter either since remoting into a secondary computer is so low effort and that machine can be anywhere on your LAN.
Re: (Score:2)
I do it half way. I have VM I do critical banking, tax prep, personal finance, etc on. I make regular encrypted backups of the documents on that machine (from inside the vm) with secrets I try really hard to only ever use on the VM - obviously if you have the host sufficiently compromised to spy on evdev pass thru you could still key log, but you *probably* need root to do that so it is one place where privilege separation on my nominally single users machine still offers some protection..
However I also s
Re: (Score:3)
While true (and I do the same), this is expensive, needs space and a lot of people have good reasons why they cannot really do it.
But Steam is aware of the problem now and hopefully they will establish regular AV scans for uploads. Apparently, AV (at least Kaspersky) finds the malware used reliably. Since this type of attack is untargeted, use of any zero-days (that AV may not find) is unlikely, due to the high cost and value of such exploits.
I expect this will remain a rare thing. Still noteworthy, as this
Re: (Score:2)
Some people don't even have a computer.
Re: (Score:2)
Yes. Hopefully, my TI-59 is safe.
TI... (Score:2)
... Same with my old TI99/4A where-ever that is. :P
Re: (Score:2)
Re: (Score:2)
Use one laptop for banking, investing, and shopping.
Use a different computer for gaming, news-reading, social media, and casual browsing.
This is simply a matter of digital hygiene. Everyone should do it.
I sort of do that.
I have a tower as my main PC. I have several disks, each of which is bootable and encrypted. One is for daily do anything use, email, games, etc.
Another is for financial stuff and paying taxes, and another is for stuff I know is bad such as a large collection of flash based games.
I disable in the bios the ones I'm not using at the moment, so the other drives don't even appear.
I don't do multi booting because it requires making all the disks visible.
I do use hyper-v with my daily use disk f
If they found one (Score:4, Insightful)
Re: (Score:3)
It means there are at least 20 others they have not found yet...
There's possibly thousands in there with Malware... it's called Denuvo.
Darn (Score:3)
This sets quite a precedent and that you can no longer trust Valve and their decision making.
I've already thought about creating a separate non-administrator user account to play games (hopefully games won't exploit Windows 0-days) just to secure my main account, and that now looks like a necessity.
Re: (Score:2)
Valve doesn't make many decisions - they always had a very light touch on what games they'd allow in the stores. Games aren't subject to approvals or anything. The bar is fairly low to sign up as a game developer to put a game on Steam.
At best they probably send the binaries through a virus scanner but that's about it. And I think that's how this was caught - the scanner got updated and detected it, but not after a
Shocking (Score:1)
Whoever could have guessed that a game called PirateFi would be compromised? /s