Upvote Upvoted 43 Downvote Downvoted
Malware Distribution Targeting Competitive TF2 Pla
1
#1
0 Frags +

X-post from /r/truetf2

Hey everyone! I've been recently messaged by a random individual attempting to get me to join a scrim/game. Innocent enough, until my version of mumble came up. He sent me a link to an older version of mumble due to some server name things or something, which is when I became mighty suspicious.

I started digging. First things first, I found this older thread on reddit of a similar story (confirming my suspicions). If you want to compare that story to mine, the conversation I had will be posted below. http://www.reddit.com/r/tf2trade/comments/2i18gz/psa_a_new_from_what_ive_seen_phishing_technique/

What's interesting is that this attack seems to be targeting competitive TF2 players, given that one of the first things he said was that he was in UGC Silver (a level I've played at before). He had a team name and server "info" set up well in advance to assist in the attack should I drop the questions.

I immediately reported him to Valve, but I wasn't done yet. I have a friend who deals in security who inspected the files for me, so I shot him the files and he started digging. Upon inspection of the fake mumble (at least the file actually installed mumble), it was found to reference several other external files from another site. Site/links have been expunged for your safety.

All of this led to discovery that the files would give the phishers the ability to have remote control of your computer with the possibility (should they so choose) to add you to a botnet. The malware had already been analyzed by malwr.com, so for you code junkies, the data's in the link.

As I didn't want this to happen to any others, I continued. The URL sent mentioned mumble by name and distributed mumble with malicious software, so I've contacted the mumble developers to alert them of the site so they can take it down. In addition, I've contacted the site hosting the malicious code so they can also have it removed.

This is still a warning, however. There is a targeted attack on competitive TF2 members involving mumble, so keep your eyes peeled. My conversation is below so you can have a reference should you believe you are also being targeted. Be careful!

3:59 AM - Kenny: hello mate
3:59 AM - Kenny: just added you for one ask
4:42 AM - TideMeist: Sure! What's up?
4:42 AM - Kenny: can you play +1 as stand-in for our team pls ?
4:42 AM - TideMeist: What's the team/league, and the time of the match, exactly?
4:43 AM - Kenny: FREE TREE
4:43 AM - Kenny: silver
4:43 AM - Kenny: in 15-20 minutes
4:44 AM - TideMeist: Sure! I can probably do it. I can't join in until about 15 minutes or so, so that matches up wonderfully.
4:44 AM - TideMeist: Any class in particular you need?
4:44 AM - Kenny: what is your better calss?
4:44 AM - Kenny: class*
4:44 AM - TideMeist: Pyro is hands down my best class.
4:44 AM - Kenny: pyrO?
4:44 AM - Kenny: oh weellllll
4:45 AM - Kenny: do you have microphone
4:45 AM - TideMeist: Yessir
4:45 AM - Kenny: mumble?
4:45 AM - Kenny: my team are using mumble voice chat
4:45 AM - Kenny: can you join to us?
4:46 AM - TideMeist: Same thing, in about fifteen minutes, but yes, I use mumble.
4:59 AM - Kenny is now Away.
5:18 AM - TideMeist: Mumble info?
5:23 AM - Kenny is now Online.
5:23 AM - Kenny: server Estonia room cs2
5:26 AM - TideMeist: Server address?
5:26 AM - TideMeist: And port, if you don't mind?
5:26 AM - Kenny: ohh
5:26 AM - Kenny: what version do you have?
5:26 AM - TideMeist: 1.2.8
5:27 AM - Kenny: delete this fucking version
5:27 AM - Kenny: only 1.2.5 can find all servers which doesnt has ip and port
5:27 AM - Kenny: [EXPUNGED]
5:27 AM - Kenny: server Estonia room cs2 we are waiting you
5:29 AM - Kenny: join?
5:29 AM - TideMeist: Gotta download and install. One moment.
5:29 AM - Kenny: only 1.2.5
5:31 AM - TideMeist: Speaking of which, what brought you to me, exactly?
5:32 AM - Kenny: we played early
5:32 AM - TideMeist: Yesterday?
5:32 AM - Kenny: forgot
5:32 AM - Kenny: maybe
5:33 AM - TideMeist: Are you guys playing this season?
5:34 AM - Kenny: no
5:34 AM - Kenny: yes i am playing but with other team
5:36 AM - Kenny: join mumble
5:36 AM - Kenny: ?
5:37 AM - TideMeist: Ok. I'm going to be straight with you. I already had that mumble version installed (and 1.2.8), and I know for a fact that both function identically. Estonia still isn't there, and on a brief search, I found a thread. A thread that feels MIGHTY familiar.
5:37 AM - TideMeist: http://www.reddit.com/r/tf2trade/comments/2i18gz/psa_a_new_from_what_ive_seen_phishing_technique/
5:38 AM - TideMeist: I never clicked your link, and I've already reported you. I don't take kindly to liars. Cheaters, sure, whatever, but liars are a different story for me.
5:38 AM - Kenny is now Offline.

UPDATE: I've been contacted by one of the developers of mumble, and they now know about this phishing technique. They are taking action against the expunged website.

X-post from /r/truetf2

Hey everyone! I've been recently messaged by a random individual attempting to get me to join a scrim/game. Innocent enough, until my version of mumble came up. He sent me a link to an older version of mumble due to some server name things or something, which is when I became mighty suspicious.

I started digging. First things first, I found this older thread on reddit of a similar story (confirming my suspicions). If you want to compare that story to mine, the conversation I had will be posted below. http://www.reddit.com/r/tf2trade/comments/2i18gz/psa_a_new_from_what_ive_seen_phishing_technique/

What's interesting is that this attack seems to be targeting competitive TF2 players, given that one of the first things he said was that he was in UGC Silver (a level I've played at before). He had a team name and server "info" set up well in advance to assist in the attack should I drop the questions.

I immediately reported him to Valve, but I wasn't done yet. I have a friend who deals in security who inspected the files for me, so I shot him the files and he started digging. Upon inspection of the fake mumble (at least the file actually installed mumble), it was found to reference several other external files from another site. Site/links have been expunged for your safety.

All of this led to discovery that the files would give the phishers the ability to have remote control of your computer with the possibility (should they so choose) to add you to a botnet. The malware had already been analyzed by malwr.com, so for you code junkies, the data's in the link.

As I didn't want this to happen to any others, I continued. The URL sent mentioned mumble by name and distributed mumble with malicious software, so I've contacted the mumble developers to alert them of the site so they can take it down. In addition, I've contacted the site hosting the malicious code so they can also have it removed.

This is still a warning, however. There is a targeted attack on competitive TF2 members involving mumble, so keep your eyes peeled. My conversation is below so you can have a reference should you believe you are also being targeted. Be careful!

3:59 AM - Kenny: hello mate
3:59 AM - Kenny: just added you for one ask
4:42 AM - TideMeist: Sure! What's up?
4:42 AM - Kenny: can you play +1 as stand-in for our team pls ?
4:42 AM - TideMeist: What's the team/league, and the time of the match, exactly?
4:43 AM - Kenny: FREE TREE
4:43 AM - Kenny: silver
4:43 AM - Kenny: in 15-20 minutes
4:44 AM - TideMeist: Sure! I can probably do it. I can't join in until about 15 minutes or so, so that matches up wonderfully.
4:44 AM - TideMeist: Any class in particular you need?
4:44 AM - Kenny: what is your better calss?
4:44 AM - Kenny: class*
4:44 AM - TideMeist: Pyro is hands down my best class.
4:44 AM - Kenny: pyrO?
4:44 AM - Kenny: oh weellllll
4:45 AM - Kenny: do you have microphone
4:45 AM - TideMeist: Yessir
4:45 AM - Kenny: mumble?
4:45 AM - Kenny: my team are using mumble voice chat
4:45 AM - Kenny: can you join to us?
4:46 AM - TideMeist: Same thing, in about fifteen minutes, but yes, I use mumble.
4:59 AM - Kenny is now Away.
5:18 AM - TideMeist: Mumble info?
5:23 AM - Kenny is now Online.
5:23 AM - Kenny: server Estonia room cs2
5:26 AM - TideMeist: Server address?
5:26 AM - TideMeist: And port, if you don't mind?
5:26 AM - Kenny: ohh
5:26 AM - Kenny: what version do you have?
5:26 AM - TideMeist: 1.2.8
5:27 AM - Kenny: delete this fucking version
5:27 AM - Kenny: only 1.2.5 can find all servers which doesnt has ip and port
5:27 AM - Kenny: [EXPUNGED]
5:27 AM - Kenny: server Estonia room cs2 we are waiting you
5:29 AM - Kenny: join?
5:29 AM - TideMeist: Gotta download and install. One moment.
5:29 AM - Kenny: only 1.2.5
5:31 AM - TideMeist: Speaking of which, what brought you to me, exactly?
5:32 AM - Kenny: we played early
5:32 AM - TideMeist: Yesterday?
5:32 AM - Kenny: forgot
5:32 AM - Kenny: maybe
5:33 AM - TideMeist: Are you guys playing this season?
5:34 AM - Kenny: no
5:34 AM - Kenny: yes i am playing but with other team
5:36 AM - Kenny: join mumble
5:36 AM - Kenny: ?
5:37 AM - TideMeist: Ok. I'm going to be straight with you. I already had that mumble version installed (and 1.2.8), and I know for a fact that both function identically. Estonia still isn't there, and on a brief search, I found a thread. A thread that feels MIGHTY familiar.
5:37 AM - TideMeist: http://www.reddit.com/r/tf2trade/comments/2i18gz/psa_a_new_from_what_ive_seen_phishing_technique/
5:38 AM - TideMeist: I never clicked your link, and I've already reported you. I don't take kindly to liars. Cheaters, sure, whatever, but liars are a different story for me.
5:38 AM - Kenny is now Offline.

UPDATE: I've been contacted by one of the developers of mumble, and they now know about this phishing technique. They are taking action against the expunged website.
2
#2
6 Frags +

Good job man

Good job man
3
#3
4 Frags +

they do this for dota and i believe csgo as well. sometimes the voip program changes (ventrilo, teamspeak, raidcall, etc). be careful out there.

they do this for dota and i believe csgo as well. sometimes the voip program changes (ventrilo, teamspeak, raidcall, etc). be careful out there.
4
#4
5 Frags +

Props to you man, since you went through all that effort and decided to inform us. Looks like phishers are evolving even more niche methods by the day. Thanks again for the heads up!

Props to you man, since you went through all that effort and decided to inform us. Looks like phishers are evolving even more niche methods by the day. Thanks again for the heads up!
5
#5
5 Frags +
CitroMaindI immediately reported him to Valve, but I wasn't done yet.

god bless

honestly though, i'd be skeptical of any random stranger wanting me to ring for them.

[quote=CitroMaind]I immediately reported him to Valve, but I wasn't done yet.[/quote]

god bless

honestly though, i'd be skeptical of any random stranger wanting me to ring for them.
6
#6
18 Frags +

id be skeptical of any stranger wanting anything

id be skeptical of any stranger wanting anything
7
#7
2 Frags +

Thanks for the headsup

Thanks for the headsup
8
#8
8 Frags +

.

.
9
#9
0 Frags +

You could also ask for tf2 server info an join that before. Could be a quick way to sanity check the request.

You could also ask for tf2 server info an join that before. Could be a quick way to sanity check the request.
10
#10
-12 Frags +

lol didnt steam teach u not to click links from random strangers? ez pz just the same phish technique just in a more complex way

lol didnt steam teach u not to click links from random strangers? ez pz just the same phish technique just in a more complex way
11
#11
0 Frags +

Thanks for posting it.

Wouldn't targeting competitive players be way more trouble than it's worth? In TF2 at least you can usually expect at least some level of basic technological understanding. I could see it working more in CSGO or Dota I guess

Thanks for posting it.

Wouldn't targeting competitive players be way more trouble than it's worth? In TF2 at least you can usually expect at least some level of basic technological understanding. I could see it working more in CSGO or Dota I guess
12
#12
-1 Frags +
AllealThanks for posting it.

Wouldn't targeting competitive players be way more trouble than it's worth? In TF2 at least you can usually expect at least some level of basic technological understanding. I could see it working more in CSGO or Dota I guess

thats an interesting assumption

but no, in fact, people that play every game can fall for phishing scams

[quote=Alleal]Thanks for posting it.

Wouldn't targeting competitive players be way more trouble than it's worth? In TF2 at least you can usually expect at least some level of basic technological understanding. I could see it working more in CSGO or Dota I guess[/quote]
thats an interesting assumption

but no, in fact, people that play every game can fall for phishing scams
13
#13
0 Frags +

actually had the exact same guy add me, the only difference was that he wanted me to visit some random website after asking me to merc (screeen.tf or something, dont remember). i believe hes targeting people signed up on etf2l

actually had the exact same guy add me, the only difference was that he wanted me to visit some random website after asking me to merc (screeen.tf or something, dont remember). i believe hes targeting people signed up on etf2l
Please sign in through STEAM to post a comment.