I got a message from one of my Steam friends who also streams on Twitch with 2k followers.
So I did a quick check to the website and noticed it’s not a gambling website at all, the only function it has is to ask for Steam login details, including Steam guard code in order to login and continue the theft with a new friend list to go through.
Was he targeted because he is semi-popular streamer with over 400 Steam friends? Or was just a coincidence?
Below is the analysis of the phishing website.
The phishing website itself is not first timer or unique, in fact I had already ran into that phishing site via bots roaming Steam spamming the link to everyone they can, however the domain name had changed in between because I already report the phishing websites to the webhosters, domain sellers, blacklists such as Google safe browsing and so on..
The index page of the phishing website
The “login” page
Note how the “login” page is loaded into a brand new pop-up element which doesn’t link to any web address, about:blank.
Instead it’s a blank pop-up which only contains HTML data instead of opening a new website. To be precise it loads data from the same server as the index page, the images and style data is loaded from Steam. That is the only reason why web browser might indicate loading of data from Steam cloud provider akamai technologies.
When you open that pop-up in developer tools you will see that most of critical data is loaded from the phishing website, in normal open ID login pages it only loads data from Steam and displays web address on the tool bar above the pop-up. And when you are at a real Steam login page you will always see the secure text or lock icon at the address bar depending on your browser and the text before the web address should say Valve Corp [US].
Developer tools inspect
To avoid these phishing website just refrain from gambling, you never know who is running such websites and how they deal with pots, items, transferring of items and most importantly how is the login and user accounts handled.