maandag 5 april 2010

And the site is down again! We win again!

His new site (steam-powered.ro) was up for like 5 minutes. Because of our immediate action, and the great helpdesk at WebsiteWelcome.com, we were able to disable his account within 5 minutes.
Hello,

Thank you for this notification. The offending content has been removed from our network at this time. Please let us know if you notice any further issues on our network.

Warm regards,

Christopher D.
Level 2 Internet Security Division
866-964-2867 (General Support)
281-476-7801 (Abuse/Security Fax)
Let's see when this guy gives up... In the mean while: let's not stop trying to trace this guy down to get his e-mailaddress or real address! We can use all the help we can get!

Same guy, new website! (steam-powered.ro)

So yeah, after we took down his old website yesterday, today the guy set up a new website. It's exactly the same source code, with the same form that submits your username + password to his e-mailaddress.

A message to the hosting company (same as his previous website) has already been sent. Also, I have implied to ban this person permanently from any further service. I have also contacted the romanian Domain Name Registration services to block the IP-address from this person permanently, let's see what they can do.

zondag 4 april 2010

We got his IP-address!

So yeah, just 15 minutes ago, he came online, on one of my friends' stolen accounts. I immediately did an IP trace (using a packet sniffer while calling him through Steam voice), and found his IP-address.

SteamFreeGames.ro has been suspended! Victory is ours!

After finding out where this website is hosted (websitewelcome.com), we were able to notify the Network Security Administrator, and we have just received notice that this phishing website has been taken offline!
I've taken this site offline. Thank you for the notification.

Regards,
Patrick Harrison
Network Security Administrator
HostGator.com LLC
http://support.hostgator.com
We're still trying to find out who the guy is that created this website. When we know more, we'll keep you posted!

zaterdag 3 april 2010

April 3rd: Steam Users Hijacked via Free Steam Games website.

Today, Steam users got hijacked after filling in their username and password on a phishing website (steamfreegames.ro). This website looks exactly like the official Steam Community website.

You probably reached this blog because you either received a message from a friend, telling you to click on this link, or because you have already clicked this link, and possibly even sent your user credentials to these hackers already.


Because that's what this website does. It sends your Steam ID and password to some e-mailaddress. This website is a typical example of the "Lobsterpot" phishing-method. When the phisher receives the e-mail, he immediately logs in to your account and changes the password and e-mailaddress.

The creator of this page only had to use basic HTML and PHP skills to create this fake page. He copied the entire HTML source of the Steam Community webpage and edited the login form, so the data are sent to his own PHP script (loginnow.php) that submits the usercredentials to his e-mailaddress. See the difference in these two images below:



So we know how he did it. But there is one thing I haven't been able to figure out yet: to change the password or e-mailaddress of a Steam-account, you need to have access to the confirmation code sent to your e-mailaddress. So: how does this phisher manage to change your password and e-mailaddress, without being able to get the confirmation code from your e-mailaccount?


Yes... maybe people use the same password for their e-mailaddress as their Steamaccount, but my friend, who got Hijacked about 4 hours ago, tells me he doesn't.

If there's someone who might know an answer to this question, please, leave a comment below!

Last, but not least, we need all the help we can get to track this phisher down. I'm sure it will take the Steam moderators ages to handle all the Support Tickets, so let's take things into our own hands! A simple who-is shows that this seemingly Romanian website (.ro) is hosted in Houstan, Texas, USA.


If anyone of you out there has the skills required to find out more about this phisher, his personal data or his location, feel free to contact me or leave a comment.

Let's hunt this guy down! He's such an amature (looking at his code), that it can't be hard to trace him. With your help, we can find this guy and put him to justice! Phishing is an illegal act in the USA, but also in Europe, and is punishable by up to $400.000 and 5 years imprisonment.

In the mean time, remember to never enter your username and password on a website that isn't HTTPS secured and has a valid certificate.


Thank you for your time.

Update:

www.steamfreegames.ro is now a known phishing site in Mozilla Firefox, but http://steamfreegames.ro still isn't yet!

It seems this website is hosted on a server that belongs to websitewelcome.com. We have sent an e-mail to abuse@websitewelcome.com to report this phishing website and hopefully get some data on this phisher (e-mailaddress, IP address etc.).