TF2 scamming through links (cross-site scripting)

Another day, another scammer

I wasn't really planning to do more posts on this blog but today something came to my attention, that I do not want to let go. Maybe you read about it already but Steam has a huge security hole that allows scammers to take control over your trade window.

Basically, it works like this:

1. Scammer approaches you while you are ingame or asks you to go ingame
2. Scammer opens a trade window with you
3. While the trade window is open, the scammer asks you to open a link he prepared for you under some excuse
4. The link contains custom Javascript that will place your items into the trade and click accept for you (when opened in the steam browser)
5. The scammer has your items and deletes the custom URL so you cannot analyze what happened.

The nerds call this a cross-site scripting attack. The attacker is using code from his own malicious site (tf2-items.com) to influence code execution on the target site (Steam Trading Window), thus "cross-site". This is a huge securty flaw and Valve should really get this fixed as fast as possible.

Real life example

Apparently even being "Steam Batman" doesn't protect you from being the target of these attacks.

Check out this screenshot:

The guy had randomly added me and asked for my Larrikin Robin with Green Confetti, an Unusual hat worth maybe 2-3 buds. He pretended to be interested on paying my B/O (buyout), which is usually overpriced. First red flag. I open his profile and it is set to private, second red flag. After I open my trade window, he sends me the URL tf2-items.com/id/zakmcrofl which is scarily similar to real tf2items.com URLs (http://tf2items.com/id/zakmcrofl).

Using Wireshark to get his IP

Luckily I had already heard of this kind of attack so I closed the trade window and obtained his IP address using the wireshark method:

1. Install Wireshark
2. Open it and in the interface list, select the interface that connects you to the internet
3. Set the filter to "frame.len == 98"
4. Send a Voice Chat request to the scammer. It doesn't matter if he accepts or ignores it 
5. Check the wireshark log for the IP.

Here is how it looked in this case:

Apparently steam is (usually) using UDP Traversal Through NAT which includes information about the private network on both sides. In this example. 192.168.100.1 is my local IP. 76.69.4.79 is the public (internet) IP of the scammer and 192.168.2.11 is his local IP address without his network. This is very interesting information if the public address is in a university and in case the local IP is static within the dorms.

Don't be hasty

Unfortunately I was a little hasty in scaring him off by posting his IP in the chat. There realistically isn't much I can do with this information but I can still hope he notices he is not anonmymous. What I should have done is analyze the Javascript code he has on that URL but unfortunately it shows different content when viewed with a non-steam browser. The detection is most likely done by User Agent but I had that idea too late. By the time I faked the User Agent in Firefox, he had already removed my URL.

How to protect yourself

1. Always check the profile of people asking for unusuals. If it is private or if you cannot view their inventory, do not trade with them (they are doing this to hide their stolen goods). Other tells are very little play time (newbies do not buy unusuals) or a freshly created account.
2. Do NOT click any links until this exploit is fixed. If you must check out a link, close the trade window first and don't do it ingame. Your normal browser should be safe against this kind of attack.