CS:GO Phishing Site Spotted
A new CS:GO phishing site has popped up. It looks like CS:GO enthusiasts are being targeted again. This time, the site being duplicated is the CS:GO Lounge, a website where fans of CS:GO can trade items and place bets on competitive games.
CS:GO is being targeted again with a new phishing page that resembles the real CS:GO lounge.
This particular site has the URL csgoloungcs[dot]com, which may seem obviously fake at to some, but a quick glance may have you overlook the entire URL because of the first seven or so letters corresponding to the real website. Sometimes it’s easy to click on something that’s similar if its presented to you in a sneaky fashion. The site is designed to steal login information as well as be a platform for dropping in other malware.
There are, however, a few things that stand out as being different from the official page. Malwarebytes has been kind enough to point out the differences below.
- The real CS:GO Lounge (csgolounge.com) page has an ad at the right side of the screen just below its social network links.
- The real Lounge only has file (5) menu options at the right-hand site, specifically Forum, Reddit, User’s guide, Rules, and Contact. The fake Lounge has an extra option, which is Bot status.
- The real Lounge has a Search feature at the top of the page.
Just as in the real CS:GO Lounge page, in order to use any of the services you have to login, which the fake page happily provides. They even provide a strikingly similar looking Steam Community page with which to login to. Signing is prompts something that looks like some sort of second factor authentication link wanting you to authenticate your identity even further, though it prompts a download instead of asking for a second key.
There is a link embedded in an iframe that points to a Google Drive location that hosts the file that’s downloaded, Steam Activation.exe. That file is certainly not an activation program and is definitely not an official piece of Steam software. I’m almost 100% positive that it doesn’t enable any new Steam VR stuff either.
The download doesn’t have anything to do with authentication, well from you. Instead it’s a trojan that might let someone else authenticate as you after it steals some information.
Using misspelled URL’s to try to lure unsuspecting individuals onto a particular page is a time tested tactic. It works with surprising accuracy if the word is misspelled in a way that stays undetected from a cursory glance. They can be placed in malicious ads, before being detected, and can even come in emails and even in search results sometimes. If the misspelling is common when typing fast, then you may accidentally type it in yourself sometimes. I know my fingers have moved a bit too fast for my brain and accidentally tried to access a page that wasn’t too friendly.
It happens, but good browsing habits and a good anti-malware solution can help greatly. Emerging threats may not be necessarily detected as fast as we may like, but protecting against older threats is still a good idea too. Sometimes that’s what’s used anyway.