Fake steam skin giveaway site tricks users into sharing their login credentials

A new scam that involves the use of a fake Steam skin giveaway site has been found tricking users. The purpose of the scam is to steal their login credentials. Discovered first by a researcher who goes by the online name of ‘nullcookies’, the scam is promoted through comments made on Steam profiles. Once a user clicks on the URL provided in the comment, they will be shown a new page that pretends to be a $30,000 giveaway promotion that contains 26 days of free skin for Counter-Strike: Global Offensive (CSGO). In order to get a free skin, the victim is prompted to log in to the site using their Steam credentials and later wait for the words ‘SKIN RAIN’ to appear in the chat. Once the words appear, the site asks the victim to click on them to get one of the free skins being offered that day. To make it look legitimate, it also contains a fake chat screen running on the left-hand side of the page, Bleeping Computer reported. Once the scammers gain access to the victim’s login credentials, they can hijack their Steam account, trade away their items, and perform other malicious activities such as further promoting their scam. In order to make the phishing page look less suspicious, the scammers claim that these skins are allegedly being sponsored by G2A, Handouts, opencases.cheap, GamDom, Kinguin, and FaceIt. Hence, users should not believe what is said on the site. The chat messages appearing on the site are fake and do not belong to any actual visitors. To avoid falling victim to such scammed sites, all Steam users should only log in to Steam directly from the steampowered.com domain. Be sure to do a thorough research of the site that wants you to log in through Steam.


An unknown hacking group is looking for exposed docker platforms

This operation means that Docker admin ports are still left exposed on the internet, in spite of the huge number of looming cyber risks. Researchers observed that this wasn’t a normal operation, considering the large uptick in scanning activity. The malicious actors deployed cryptominers on the exposed Docker platforms. “As others have noted, this isn't your average script kiddie exploit attempt. There was a moderate level of effort put into this campaign, and we haven't fully analyzed every single thing it does as of yet,” said Troy Mursch, chief research officer and co-founder of Bad Packets LLC, who discovered this campaign. This operation is believed to be scanning over 59,000 IP networks for exposed Docker instances. Once an exposed host has been identified, the API endpoint is used to start an Alpine Linux OS container where it runs a certain command. Then, XMRRig cryptocurrency miner is installed. In the past two days, the hackers have reportedly mined Monero coins that are worth more than £800. This operation is also armed with a self-defense measure. It uninstalls known monitoring agents and kills certain processes. Researchers observed that apart from security tools, rival cryptocurrency-mining botnets were also shut down by this operation. Apart from this, a function of the malicious script was also found to be looking for rConfig configuration files that it encrypts and steals. The stolen files were being sent to the command-and-control server. If you run a Docket instance, experts recommend checking for exposed API endpoints on the internet, closing the ports, and terminating unrecognized running containers.


Hackers target third-party payment processing page to phish victims

A card-skimming scheme involving a retailer’s third-party payment service platform (PSP) was revealed by researchers from the security firm Malwarebytes. Here, hackers created a phishing page to swap it with the genuine PSP processing page. Many e-commerce websites outsource their financial transactions to a secure page operated by payment service providers (PSPs). In this scam, researchers of Malwarebytes uncovered a fraud where the malicious actors would switch the genuine payment processing page with a fraudulent one. Personal and financial data of authentic customers visiting the phishing page was being exfiltrated to an attacker-controlled server. The skimmer-phishing page, reportedly, was a copy of a legit CommWeb payment processing page from CommonwealthBank in Australia. The researchers came across a newly registered malicious domain, “payment-mastercard[.]com,” that contained a skimmer like this one, as well as the more unique one that imitates the PSP. After a victim’s data is entered and exfiltrated, the user will be redirected to a legit payment site for Commonwealth Bank, displaying the correct amount purchased. Malwarebytes researchers suggested that the scam appears to be the brainchild of a cybercriminal group skilled in using phishing templates and web skimmers, including a skimmer called ga.js, which’s loaded as a fake Google Analytics library. 


Insecure database exposes millions of SMS messages

Tens of millions of SMS messages have been found on an unprotected database, putting the private data of hundreds of millions of people at risk for theft or exposure and leaving a communications company open for potential intrusion, security researchers discovered. Noam Rotem and Ran Locar from the research team of vpnMentor found the database, which they said belongs to TrueDialog according to a blog post. Based in Austin, Texas, TrueDialog provides bulk SMS services for small businesses, colleges and universities, which means that the majority of the messages were business-related, researchers said. Moreover, the insecure database was linked to many aspects of TrueDialog’s business, potentially increasing unauthorized access to the data of millions of people as well as exposing an unusually diverse data set, they said. Despite companies knowing the risks of leaving data unprotected online in this era of cloud-based storage, insecure databases are a persistent problem and remain one of the leading ways data breaches occur. These breaches not only leave customers and users of the companies who exposed the data at risk, but also leave the owners of the databases more susceptible to security threats as well. Types of data found unprotected included: full names of message recipients, TrueDialog account holders and TrueDialog users; message content; email addresses; phone numbers of both recipients and account users; dates and times that messages were sent; and message status indicators. The account details of TrueDialog account holders also were exposed in the messages, researchers said.


SDKs misused to scrape Twitter, Facebook account information

Twitter and Facebook are warning of software development kits (SDKs) that could be embedded within a mobile application and used to harvest personal user information. The SDKs, which the tech giants said are maintained by oneAudience and MobiBurn, could be used by mobile app developers to craft malicious applications that ask for permission to access social-media information. From there, the apps can scrape profile information, such as email addresses, usernames, gender, last tweets and so on, according to Twitter. The activity violates both companies’ data privacy policies, which prohibit allowing third parties to harvest profile information for data monetization purposes. That was a change implemented in the wake of the Cambridge Analytica scandal, in which Facebook allowed a third-party application to scrape and then hand over the data of up to 50 million platform users to the company. That data was then combined with other data to create highly detailed profiles that the Trump campaign used to micro-target population segments with 2016 election messaging. Twitter informed Google and Apple about the issue, it said. Facebook characterized the SDK-makers as actively participating in malicious activity.


Edited and compiled by cyber security specialist James Aguilan.