The Inquirer reports that security firm Malwarebytes (opens in new tab) has discovered a way to steal Steam accounts by bypassing Steam Guard.
Typically, when a Steam customer tries to log in using a different PC, a different browser and/or a different device, a pop-up window will appear asking to enter a code that is delivered to the user's email address. Without this code, it's nearly impossible to log into the account.
However, in order for scammers to break into a Steam account, the victim must be driven to a fake login page. "Typically a Steam phish page asks for Username and Password, like all phish attacks - often these can be foiled by enabling Steam Guard on your account," said Malwarebytes intelligence analyst Christopher Boyd.
The fake Steam page will present the same pop-up Steam Guard window, but will ask for something different: the user's SSFN file. This file is what prevents users from having to reveal their identity through Steam Guard each time they try to log into their account via a browser. If the user deletes this file, then he/she would be required to identify themselves again, thus generating a new SSFN file.
Thus in order to get into a user's account, all hackers supposedly have to do is take that SSFN file and drop it into the Steam directory on the scammer's computer.
"We did some testing and can confirm that this technique - asking a victim to send their SSFN file to the scammer - does indeed work," Boyd explained. But if the Steam user tries to log in from a different computer or browser, they will get the original credentials request. At this point, the hacker can't get into the account unless he/she has control over the user's email address.
So why is stealing a Steam account a big deal other than acquiring a boat-load of free games?
"Compromised Steam accounts are big business, especially for those wanting to hijack accounts which have rare in-game items in their inventory. They'll 'trade' the items off to an account owned by the scammer, who will then go on to sell them for their own gain on the Steam Marketplace, buying games with the newly acquired funds in their Steam Wallet," Boyd said.
Hackers will also have access to the victim's purchase library, and be able to change the account's current email address, the current password, disable Steam Guard, change the payment info and so on. Of course, if users don't store their credit card information in Steam, that's one less thing to worry about.
Valve Software is currently aware of the issue, and the forum moderators are alerting all Steam users. Unfortunately, the report doesn't say how users end up on a fake Steam login page. Just keep in mind that if anyone asks for the SSFN file, ignore the request because handing that file over will be very bad news.