Never trust links sent with urgency
TLDR: Friend's account was phished and then used to attempt to fish other users on their Steam friends list
Introduction
You need to be wary of links whenever someone sends you a link and has an emphasis on urgency that you sign up or click the link. Today I logged onto my Steam account and had a friend instantly message me requesting I join a ringer for their PUBG squad. A tournament was soon to begin and he stressed that he needed me to fill in for a teammate that was running late. The request seemed odd but I figured it was possible especially since he mentioned his real life name. That was until I saw he was structuring his sentences and the grammar. Something seemed off...
Initial Investigation
To begin with I'm already seeing some red flags here.
- He messaged me as soon as I went online (less than a minute)
- Grammar
- Urgency to join a game we haven't played in months
Too many signs for me to ignore. Next thing I did was open up a vm to start investigating the website.
Now, clicking on the sign up button takes us to a login page:
Now there's another red flag as launching the developer tool triggers a debugger; interrupt. Clearly they don't want us looking at anything. Unchecking the "Pause on debugger statement" allows us to bypass this interrupt so we can continue inspecting the HTML/Javascript.
The page has some Russian comments in it and some base64 encoded values. There's also some obfuscated Javascript being loaded as well but I won't be digging into that today. Viewing the page source we can find this laughable login check code that doesn't work no matter what you enter because they want you to login using your steam account. If you don't enter a username or password you get an error saying "Fields username and password is required." and if you enter anything into both fields it doesn't even attempt to login. It just gives you another error saying "This user doesn't exist..". That's right, another red flag. Why would a login form not allow me to login no matter what? Hmm? Probably to force users into thinking it's a legit site in order to get those juicy Steam account credentials.
<script type="text/javascript">
let button = document.getElementById("button_submit");
let errorSection = document.getElementById("error_section");
button.addEventListener("click", function (e) {
e.preventDefault();
let username = document.getElementById("inlineFormInputGroupUsername");
let password = document.getElementById("inlineFormInputGroupPassword");
if (username.value == null || username.value == '' || password.value == null || password.value == '') {
generateError("Fields username and password is required.")
} else {
generateError("This user doesn’t exist..")
}
});
function generateError($message) {
errorSection.innerHTML = "";
let errorMessage = document.createElement("div");
errorMessage.setAttribute("class", "alert alert-danger");
errorMessage.innerText = $message;
errorSection.appendChild(errorMessage);
}
</script>
So what's the problem?
The problem is that the sign in with steam button on that page redirects to a fake steam login page which relies on the end user not checking what they're submitting their credentials to. This is also known as a covert redirect. More information listed here: https://oauth.net/advisories/2014-1-covert-redirect/
The url being navigated to is: steamcommunity.com/openid/loginform/?openid.ns=https%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Fhttps://auth.portal-legion.com%2F%3Flogin&openid.realm=https%3A%2F%2Fhttps://auth.portal-legion.com&openid.ns.sreg=https%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.claimed_id=https%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=https%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
Breaking this down, we can see the openid.return_to property is set to https://auth.portal-legion.com/login and it specifies the openid.realm as https://auth.portal-legion.com. Essentially, this is saying that auth.portal-legion.com is the authoritative server and as such the credentials the user sends through here is going right to the owner of auth.portal-legion.com
How it works:
- Fake Return URL: The URL contains
openid.return_to
andopenid.realm
parameters, which point tohttps://auth.portal-legion.com/
. This domain is not related to Steam, and the URL could redirect users to a phishing site that looks like the official Steam login page. - Double URL Encoding: The
openid.return_to
andopenid.realm
parameters include doublehttps://
URLs (https%3A%2F%2Fhttps://auth.portal-legion.com
). While this can appear unusual, it might be used to obfuscate the phishing site's URL, making it harder to spot by users who don't carefully check the destination URL. - Capturing Credentials: Once a user submits their login information on the phishing page (
auth.portal-legion.com
in this case), the malicious actors can capture those credentials. They may also capture OpenID tokens if the process involves additional security elements like two-factor authentication (2FA). - Exploiting Redirects: OpenID relies on redirection to authenticate users. A malicious actor exploits this by setting the
openid.return_to
parameter to redirect users to a website they control. If users don't notice they're being redirected away from a legitimate Steam page, they could easily fall for the scam.
Conclusion
Always be wary of links that others send you. It doesn't matter if it comes from someone you know, check any forms you're logging into or allowing other applications to access. This is a real life example of a phishing campaign currently going on so please, double check what you're clicking on and stay safe out there!
P.S. I notified my friend who's currently trying to gain his access back. I've also reached out to Steam to report this malicious site.