Counter-Strike: Global Offensive Chrome extensions raid your Steam account

Graham Cluley

Counter-Strike: Global Offensive Chrome extensions raid your Steam account

Counter Strike Global Offensive

Steam users are being warned to be on their guard after criminals created rogue browser add-ons designed to steal from the accounts of video games fans.

Security researcher Bart Blaze describes how a Steam user has created a number of Chrome browser extensions for online first-person shooter “Counter-Strike: Global Offensive” (also known as CS:GO).

Don’t be in too much of a hurry to install the Chrome extensions, however, which have names like CSGODouble Theme Changer, CS:GO Double Withdraw Helper, Csgodouble AutoGambling Bot and Improved CSGODouble.

CS:GO Chrome extension

CS:GO Chrome extension

With the extensions installed in your Chrome browser, your Steam inventory items will be stolen, and items you attempt to trade with other Steam users will actually end up with the scammer behind the extensions instead.

Bart Blaze says that examination of the rogue Chrome extensions’ code reveals that the userid of the Steam user that will receive the stolen goods, and has linked them with a user calling themselves “Delta”.

Extension code

Steam user Delta

The good news is that it is fairly simple to uninstall an unwanted Chrome extensions:

To remove an extension from Google Chrome:

  1. On your browser, click menu .
  2. Select More tools > Extensions.
  3. On the extension you want to remove, click Remove from Chrome .
  4. A notice to remove the extension will appear. Click Remove.

Remember, the fact that an add-on or extension has been made available for your browser is no guarantee that it hasn’t been coded with malice in mind.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Counter-Strike: Global Offensive Chrome extensions raid your Steam account”

  1. 'Bart Blaze says that examination of the rogue Chrome extensions' code reveals that the userid of the Steam user that will receive the stolen goods, and has linked them with a user calling themselves "Delta".'

    Well that was stupid. It doesn't even seem obfuscated (maybe they ran a beautifier on it ?). Certainly this isn't an experienced programmer who is behind this. I guess that's a good thing.

    'Remember, the fact that an add-on or extension has been made available for your browser is no guarantee that it hasn't been coded with malice in mind.'

    That's worth repeating: there is no guarantee that software hasn't been programmed in a malicious way; even software that might normally be legit can be compromised (whether deliberately by the developer or by a third party isn't relevant in the sense of it is no longer as safe as it might have been … and this could simply be a bug!).

    1. Hey Coyote,

      There was indeed no obfuscation whatsoever. The part of the script you see in the screenshot was beautified by my, however.

      I'm pretty sure that at some point (if not already, I'll be checking to see if I can find more soon), those will come up as well.

      Cheers
      Bart
      @bartblaze

  2. The new Steamguard Sytem should not allow unidentified trades since the mobile 2-Step authentication

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES