0x48756776 Posted March 3, 2015 Share Posted March 3, 2015 Hey! Just as a heads up, there appears to be a new scam going around where people (mostly from CSGO Lounge) are trying to prey on those who are trading items. Basically they will add you from a legit looking profile, in this case I got one from this guy: http://steamcommunity.com/id/e28e/ He is only level 1, but has 104 friends. He invited me into a lobby with this guy:http://steamcommunity.com/profiles/76561198170882453 Who only has 15 wins and is a Global Elite (CSGO rank). (Huge red flag) They were offering boosting for free, but I had to download an application for voice chat as they didn't use in game chat (another red flag) They were very insistent that I download the application and talk with them, even if I didn't want to play (all these red flags). Here is the program in question - hxxp://voice-speaker.com/index.php (DO NOT DOWNLOAD ANYTHING FROM THIS SITE) The website is a massive rip off of the Curse gaming communicator - http://beta.cursevoice.com/ The first web site looks pretty legit, and could be easily launched by an unexpected/inexperienced user. Once downloaded, you can see a comparison of the two different applications. http://imgur.com/a/NLtlI The file on the left is the file downloaded from the scammers website, while the one on the right is the legit application. So I decided to into more detail: the application is custom designed in Delphi designed as a dropper application to avoid detection The first application, which you download from http://voice-speaker.com/download.php is written in the Delphi language. When decompiled it shows the following: Pointers to a website - (URL REMOVED) (maker of the application) When launched, the application will kill running browsers: Then reports back to http://voice-speaker.com/data/entry/ssfn.php Steals login data from browsers: Then downloads steam.exe from voice-speaker.com It also changes the host file to the following websites: Once it's done that, it will launch the new Steam.Exe file and send the username and password you entered back to the server. I've worked with the hosting company the scammers were using in order to take the website down. I am now publishing my results. Please be extremely vigilant if you have skins or items of any value in your account, as it's quite easy fall victim to one of these. 8 Quote Link to comment Share on other sites More sharing options...
FoolishFreakazoid Posted March 4, 2015 Share Posted March 4, 2015 Thank you for the heads up! Quote Link to comment Share on other sites More sharing options...
7Z. Posted March 4, 2015 Share Posted March 4, 2015 Thank man Quote Link to comment Share on other sites More sharing options...
camperfriend Posted March 4, 2015 Share Posted March 4, 2015 We need more people like you Quote Link to comment Share on other sites More sharing options...
essence Posted March 4, 2015 Share Posted March 4, 2015 tanks you! Quote Link to comment Share on other sites More sharing options...
Anthony Posted March 4, 2015 Share Posted March 4, 2015 oh ye you go gurl Quote Link to comment Share on other sites More sharing options...
Johnmau Posted March 4, 2015 Share Posted March 4, 2015 I just got this like atleast an hour ago, i read this bcuz i wanted to check if my sig was done and i saw this and it was the same exact thing, thanks so much freehugs Quote Link to comment Share on other sites More sharing options...
freshyams Posted March 4, 2015 Share Posted March 4, 2015 tl;dr don't download random .exe files and run them 1 Quote Link to comment Share on other sites More sharing options...
Comic King Posted March 4, 2015 Share Posted March 4, 2015 Yep, a bootstrapper... Never would've become suspicious on this... Thanks Free Hugs! Quote Link to comment Share on other sites More sharing options...
Colonel Potter M.D. Posted March 4, 2015 Share Posted March 4, 2015 Thanks! Quote Link to comment Share on other sites More sharing options...
UnPrePared_ Posted March 4, 2015 Share Posted March 4, 2015 ts3 is the best imo those hackers aint slick Quote Link to comment Share on other sites More sharing options...
ClearCut Posted March 4, 2015 Share Posted March 4, 2015 thanks man, appreciate it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.