New malware spreads over Twitch chat, targets Steam accounts
If you use gaming video streaming site Twitch, you’ll want to be careful what you click on. A new piece of malware spread through Twitch’s chat feature will attempt to bleed your Steam account dry, according to security software maker F-Secure.
The malware spreads through messages posted to Twitch chat that try to entice users into entering a weekly raffle. Click on the link, and a Java program will open up a phony raffle entry form.
Once you fill out and submit the form (which, according to F-Secure, doesn’t actually get sent anywhere), the malware goes to work. It installs and runs a Windows binary that can gain access to your Steam account and add friends, accept friend requests, trade items, and sell items in the market at a discount.
As a result, the malware can “wipe your Steam wallet, armory, and inventory dry,” according to F-Secure, and sell your items at a discount on the Steam Community Market. The idea here is that the attacker can sell uninteresting items from your account, then buy themselves more interesting items. Shady.
Since this all happens on your system, it bypasses Steam’s security measures to prevent others from logging into your account on another PC. F-Secure recommends that Steam add new security measures “for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold.”
[Update, September 13, 2014, 10:22pm: Twitch tells PCWorld that it has since blocked the link to the malware in question and has reminded its users to avoid clicking on links from people they don't know, "just like they wouldn't do on any other social media sites." The company tells us that it has received only two reports from users regarding this malware.
Twitch also says that you can block links from appearing in your chat, thereby preventing others from posting malicious links or spam altogether.]
Regardless, be careful what you click on, and don’t enter raffles and giveaways from people or companies you don’t know and trust. While you're at it, read our guide on how to guard against other devious security traps.