Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads

Csgo Scam - Analysis Of An Inventory Stealer


0x48756776
 Share

Recommended Posts

Hey!

Just as a heads up, there appears to be a new scam going around where people (mostly from CSGO Lounge) are trying to prey on those who are trading items.

 

Basically they will add you from a legit looking profile, in this case I got one from this guy:

 

http://steamcommunity.com/id/e28e/

 

He is only level 1, but has 104 friends. He invited me into a lobby with this guy:http://steamcommunity.com/profiles/76561198170882453

 

Who only has 15 wins and is a Global Elite (CSGO rank). (Huge red flag)

 

They were offering boosting for free, but I had to download an application for voice chat as they didn't use in game chat (another red flag)

 

They were very insistent that I download the application and talk with them, even if I didn't want to play (all these red flags).

 

Here is the program in question - hxxp://voice-speaker.com/index.php (DO NOT DOWNLOAD ANYTHING FROM THIS SITE)

 

The website is a massive rip off of the Curse gaming communicator - http://beta.cursevoice.com/

 

The first web site looks pretty legit, and could be easily launched by an unexpected/inexperienced user.

 

Once downloaded, you can see a comparison of the two different applications. http://imgur.com/a/NLtlI

 

The file on the left is the file downloaded from the scammers website, while the one on the right is the legit application.

 

So I decided to into more detail:

 

the application is custom designed in Delphi designed as a dropper application to avoid detection

 

The first application, which you download from http://voice-speaker.com/download.php is written in the Delphi language. When decompiled it shows the following:

 

Pointers to a website - (URL REMOVED) (maker of the application)

 

When launched, the application will kill running browsers:

 

O5Hhlca.png

Then reports back to http://voice-speaker.com/data/entry/ssfn.php

 

ftFMnth.png

Steals login data from browsers:

 

OEcrbVd.png

Then downloads steam.exe from voice-speaker.com

 

9IFv2xf.png

It also changes the host file to the following websites:

 

fnLCqNQ.png

Once it's done that, it will launch the new Steam.Exe file and send the username and password you entered back to the server.

 

nutbFxI.png

I've worked with the hosting company the scammers were using in order to take the website down. I am now publishing my results.

 

Please be extremely vigilant if you have skins or items of any value in your account, as it's quite easy fall victim to one of these.

  • Like 8
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share