 Excellent. Welcome, everybody. Thank you for attending our talk. Today is going to be a talk about malware in the video game micro economy. We'll explain what that actually means in a little bit here, but first let's get into the agenda. We're going to cover who we are, kind of the history of scamming and gaming, backgrounds for non-gamers in the audience, which should hopefully be very few of you. Some of the interesting stats we got from some of the surveys we did for steam players, looking at the attackers and some of the techniques they use and some of the tools they use, investigating the defenses that Valve and some of the other communities have put into place. And last, forecasting recommendations for the future. Sure. So I'm Zach. This is Rusty. And just before we begin, just wanted to make sure that everyone knows that we're doing this talk in our own volition, has nothing to do with this. Yada, yada, yada, liability. Good stuff. Excellent. We just wanted to get Zach's in face time. So history of scams. Scams have been around pretty much as long as video games have been around. Diablo II, some of the older ones, RuneScape was especially prevalent to this day. I think people still play RuneScape, which confuses me. I stopped playing when I was 13. Eve Online is another interesting one for scamming. Battle Net and Steam are sort of the more prevalent ones these days. So let's dig in. Diablo II. You've got a couple interesting scamming techniques there. D&D, they called it the D&D scam. It was dueling and damage or the Diablo network database where you could meet with other players to trade, join their clans, things like that. So what you do, you would slash type D&D, username and password. And what this actually means is you put a do not disturb up, which responds back with a message, which is your username and password. So the attacker would just message you and congratulations, they have all the account information. Pretty simple but incredibly effective and also very hilarious. Next is a trade window scam. An attacker would come and say, hey, I'm looking to trade this item for you. They would put an item in the trade window. You would say, I'm giving you a million gold or whatever it is. The window would close and they'd say, oh, shit, I fucked up. Here's the actual item, my bad. But it would be different items. They'd just swap it in there for you. Also this rush payment where they would say, hey, I'll rush you through all the dungeons here. Some X amount of gold, half up front, half when we're done. You give them half up front, then they go away. So it works, I guess. Next, runescape. Here's a great forum post about how to scam people in runescape. You have one buddy. I don't know if you can read this so I'll describe it for you guys. You have one buddy saying, hey, I'm looking for a jug of wine which is like two copper. I'll pay 70K. Second friend goes, yo, dog, I'm selling a jug of wine for 40K and then some idiot connects the dots there. Sees he can make a profit but he actually bought a useless item. The bottom there says easy money, not honestly earned, the way I like it. Perfect. WikiHow, how to avoid scams in runescape? Probably pretty good. But on the exact same forum you have had a password scam in runescape. All right, we'll go with that. Eve online, does anyone play? Eve spreadsheets in space? Excellent. CCP, the company who runs Eve, they actually don't regard scamming as a petitionable offense. They say it's part of the game. They do have four caveats for that. They don't allow character sale fraud, impersonation, gaming rookie systems so abusing a new player's lack of knowledge or stealing real life assets. But pretty much everything else is fair game in that universe which is pretty fantastic. If anyone does that. And the last one, this kind of segues into the whole point of this talk is the Steam platform. I assume everyone is familiar with Steam. If you're not, you guys don't belong here. Steam is awesome. It started way back in the day when it was totally shitty but now it's actually pretty good. It's a social media platform with friends, with communities, clans, groups, et cetera. And there's a marketplace which is sort of ripe for the taking for scammers as well as normal players to buy and sell items together. So that segues nicely into the Steam marketplace. So non-functional cosmetic items were introduced in 2009 into Team Fortress 2. In 2010 they released an update that allowed players to trade with each other. So cosmetic hats and weapons. They literally did nothing. Well, the weapons didn't TF2 but the hats. They did nothing. It was like a Christmas tree sitting on your head that was on fire. That's worth $100 for some insane reason. Since then it's been expanded to other games, Counter Strike Go, Dota League of Legends. The picture there is actually of the Burning Flames Team Captain. It is the most expensive hat in TF2 history to this day. It's worth $4,500. All it does is make your character's head catch on fire. It does nothing useful but someone will pay $4,500 for it. So, fantastic. Some more background. This is just a screenshot from Ghost Who Gamers of the top ten available weapons currently in the marketplace. They're all around $400. So there's dozens of sites dedicated to trading, gambling, et cetera. Counter Strike Go, CSGO lounge, CSGO traders, CSGO loot, TF2 has backpack TF. League of Legends is interesting because there's not really a marketplace. But with the skin codes you've got Law Skin Shop as well as things like eBay where you can buy accounts that are either boosted or have skins and stuff unlocked. So very interesting. Lots of potential attack vectors there. And I'll hand it over to Zach to do stats. So to really kind of sell to everyone how serious these gamers get and how serious these communities are, we wanted to go out and we wanted to survey some of the Steam user base. Instead of just going out trying to find as many places as possible all throughout the internet or befriend millions of people on Steam, we went to Reddit. We went to the Dota 2, CSGO, TF2, and a couple trading subreddits just to collect some stats in terms of anything ranging from their inventory prices to if they've ever been scanned before to age just to kind of get a general idea of what we're working with here. So before I begin the problem with collecting stats on the internet is that you make sure that you do form validation for Google Docs. When I opened up the first Excel spreadsheet I had an ASCII caterpillar that almost crashed my computer. So either do form validation or just don't let people put in additional notes. My favorite one is a guy that filled out about five times. Fuck you, talks like this the way Defcon sucks. So good way to start this out, right? Okay, let's get into some actual stats. So first one we have here, most of these up front, we have a sample set of 1,100 people. This just shows the general age range of Steam gamers. At least from these gaming subreddits, not the general Steam user base, 90% are between 12 years old to 24 years old. So you can kind of make some inferences there, you know, young, impressionable, especially when it comes to scams. Rusty talked about the runescape scam. In that post they said this works great for 13 year olds, just go after them and scam them. Makes sense. In terms of Steam and these online gaming communities being an investment, this one shows the hours spent per week on video games. So over 56% people play 20 hours or more on Steam. So it really shows like how much people invest into these things. And it's not just something where, you know, you get on, you play a game for three or four hours, they get on, they play a game for 20 hours and they go after these really rare items that are worth hundreds to thousands of dollars and they really put their heart and soul into it, just like anybody else would with a hobby. In terms of the amount spent per month on games, essentially the way this pie chart breaks down is four of the five people that took our survey say they spent at least some amount of money. And we have the breakdown here of people can spend casually, you know, one to ten dollars, that's generally like a huge chunk, but we have people spending at least two percent of that base, $500 a month just on going and purchasing these in-game items and trading with other people. So we talked a lot about purchasing and having these in-game items, right? So we then put out a question, what about inventory prices? If you go to all your Steam accounts and you take the sum of all of your items, how much is that worth? So this is a box plot because I wanted to show this first because of the outliers, there is something out there, $60,000 someone's inventory is worth. So we couldn't believe it at first, so we went and we checked a pretty well-known website for TF2 backpacks, essentially TF2 inventories. And lo and behold, there's somebody there verified about $55,000, their video game profile is worth on Steam. So this is the box plot actually zoomed in. As you can see, there's a red square on there that shows the mean. So from these gaming subreddits, people say on average about $1,000 worth of items in your inventory. So when you think about these things, it really goes to show like when it comes to scams. At first, you know, RuneScape, Diablo, people, they just traded in-game currency back and forth. And now people are attaching dollar amounts to this. And this is a really good target for people that want to scam because then they can steal these items and they can turn them around. So where does this leave us? This is actually a pretty funny picture. Only because this is one of the most expensive guns in Counter-Strike Go right now. It's $1,500. We put this up and I think we got, it was yesterday or two days ago, a good friend of ours randomly got this as a drop while playing the game and he's only played like a couple of hours into it. So he played the game for two hours and just netted an item worth $1,500. We hate him right now. Like a lot. I'm PJ Salt right now. Cool. So kind of how did this all start? I realize this is sort of in the middle of the talk but we needed a lot of background here. So this actually started because we saw a Reddit post with someone having a link to an imager album of them attempted to be scammed. So this was on the front page of the Dota 2 subreddit. There was lots of people in the comments talking about similar experiences and scammers were starting to target gamers. So I'll just describe this because I don't know if everyone could read it but someone messaged them and says, hey can you be the plus one as a stand in? The guy says, yeah we played a couple of days ago. Sure. And the guy is like, alright, well wins the game. And so they trade some details back and forth there. The guy says, hey you need to download mumble. And the guy is like, I already have mumble. So the scammer says which version the player says 1, 2, 4. It shouldn't matter though. And then the scammer says, oh well you need the specific version of mumble in order to talk to us. Let me link you to the mumble software as a good guy. Mumblesoftware.net. Perfect. What is mumblesoftware.net? It's registered in Russia. It looks like this. If anyone's ever downloaded mumble this is not what their website looks like. But it looks like sort of a reasonable website and given how pretty shitty voice gaming software is, this is something I would absolutely expect. Not only that, it has great reviews. We've got great quality, good player feedback. It's awesome. So when you actually go download this piece of software there's the actual mumble installer but it comes bundled with some obfuscated JavaScript which looks like this. And for those of you who can't read JavaScript it looks like this. So this is the download file from URL function that exists in that JavaScript file which is eventually called here. So there's three download file from URL functions called. The first one grabs a copy of 7-Zip from a website called copy.com. So first one is 7-Zip. The second one is a 7-Zip encrypted binary installer for team viewer. And the third one is a batch script, decrypt team viewer install it as a service. Start it on startup and then basically just install the rat for the scammer to log into your system. Which is fun. So this is what a hacker looks like if no one is clear on that. Cool. So we're going to go through some of the different samples we found. We've been doing this for about a year now and the evolution of the scammers and the attackers from a year ago until today has been the evolution of the complexity and just the TTPs they're using to go scam people. So this is pretty low level. They just link you to cursevoice-beta.com it installs curse voice but it also installs rat giving persistent access to the victim's computer. Like pretty straightforward. This is something a sample we found called raid call. This is what happens when I tried to execute the drop.js file which was really unfortunate but that's okay. So what raid call does is very similar to the Mumble software we saw earlier. Drops JavaScript it executes W script to sleep for 15 or 1.5 million seconds which is like 62 days which is what most processes do. They don't. Steals private information from browsers, drops files and installs into complex and a little nastier here. Your speaks isn't actually based on anything real. So with all the other samples we found it was based on curse, it was based on Mumble, it was based on Skype, things like that. This was just something that it sounds like it might be a weird voice program that gamers might use which was interesting. So not trying to do homograph attacks and just run on hook, some windows functions, process injection, HTTP request, so less of the remote access tools and more of actual sort of classic malware sort of seeing the evolution there. This was one of the more interesting ones we found. It's got a great logo, pokey steams dealer. So the attacker just runs an auto accept bot and then they go distribute the stub.exe to victims and according to the website this quote is lifted directly from a method of their choosing to distribute to their victims. It creates a file, this QEQ file in user's temp which also tries to sleep for like 60 days probably not a legitimate file. But we have a video with this high quality production value which is fantastic. I'll tab to it as opposed to open it. So he's dragging the steams dealer exe to the middle of his computer and this has a great techno track in the background. I'm sorry you guys are being denied it right now. So executes the file. He's running process explorer like a good citizen. We can see that it's executing. So this is his trade offers that he's sending. So he has to refresh it like 15 times. One more time. There we go. One more. So close baby. Cool. So now that was a trade offer that he just made to a mule somewhere. All of his items. Just because he clicked an executable. Like that's insane. So his CSGO skins there. So here's the site. They believe in quality. Here's your packages. They accept to pay pal on bitcoin. If this isn't the greatest marketing video you've ever seen. Get it now. Perfect. I stumbled across that video and I had to include it in this because it was production value. Cool. So that is the pokey steam stealer which was really interesting. That was incredibly effective before Valve started implementing some of their security fixes which we'll get into a little bit later. But the next sort of iteration of that was called steam stealer which is here. So this is all C sharp and I'll sort of walk you guys through this. This is the main function. It iterates through all of the windows processes currently running for anything named steam. Itirates through all of those and finds any process that I've loaded the steam client.dll which include the oh sweet Jesus. Which include the steam guard key as well as the session cookies for your steam login. So next we iterate through each of the processes. We iterate through their memory and then we pull out the session cookie from memory. So this is pretty cool. I don't know if you guys can see it in the middle there. There's a regex. Wait, do you think the session cookies are cool? Check this out. I love session cookies. I have a Jack Daniels cookie for you. All right. What do first time speakers do? Cheers. Cheers. To DEF CON. To DEF CON. Once you go Jackie, never go black. Back. That's right. Wasn't as bad as my... I would like to say that DEF CON does not condone anything that was just said. The last half hour of this talk. Cool. So the regex in the middle there is actually a seven character or seven digit string that all steam cookies are prepended with. And then the regex for the rest of the stuff in there. So super interesting. You're looping through all the processes. You're looping through memory in the process to pull out the session cookie that we get. This is crazy advanced from RuneScape saying hey man, open this trade window with me and let me steal all your shit. So going to sort of the next part there. For each session cookie that we get because multiple steam instances can be on the same computer. So for each session cookie we get, then we go check the Steam API and we get a list of all the items that are not common because we don't give a shit about common items. We want uncommon and rare. So the bottom two lines there. The first one is get items for a steam ID and then the text there is 570 which is the game code for Dota 2. And then the last one there is filtering out any of the common items. So if we go look at the actual request that's being made and I realize you guys actually probably can't see any of this but I'll continue describing. The user agent that's being used is Valve Steam Client. So the malware is attempting to duplicate the same traffic that the Steam Client would do in order to go pull the user's inventory from the Steam Master Server. So that's kind of cool. As I mentioned earlier, 570 is the game app ID for Dota 2. So what does that give you back when you actually make that request? So this is my account. One of the requests I made for a single item. Counter strike go as you see in the top there. The app is 570. This is my 570 monkey business. It's a sweet little 570 with a banana on the handle which is fantastic. It's my favorite item in the game. You can see it's tradable, it's marketable. And I don't have the rarity on there but it's pretty rare. So once we have actually gathered a list of all the items that the player has in their inventory then we go make a giant list of this so we can automatically trade this to our mule. The top line there, we create this divide list. Turns out you can only trade 256 items at a time so they have a hard cap there so if it goes over that they just create multiple requests. We iterate through all of the items we found and we prepare them into the format we need to make the request to the Steam API. So the prepared items list and then the next one underneath is the sent item. So we'll dig into the prepared items. You have your app ID there. The amount, the number of items that you want to trade if they have duplicates. The asset ID is the actual item ID. And so you're just creating this list and just concatenating all these together for your trade offer. The second one is sent items. Using the Steam API trade offer slash new slash send. The session ID that you pulled out of the cookie. The partner is the person you're trading to and then you throw in all your items in there as well. So pretty advanced pretty crazy. Definitely a step away from the low level scamming that we had seen before into like real malware, real value, real production. And we'll get into some of the interesting web stuff that we saw. Thank you. So now that Rusty's talked a lot about the evolution of the malware, I'm going to talk about the evolution of the different type of attack methods via web or the web TTPs. So the attack websites split in two categories sometimes both. We've seen a lot of phishing websites that have been taking the Steam community, taking the front page of it, attaching it to another website, and then essentially just logging use names and passwords. I think we have a slide later that shows kind of how it does that. Malware droppers, much like what we talked about before with the Mumble software.net. On there, they would go get a person to connect to that website and then they'll take every single link on that website and usually they just replace it with the downloadable link and then you get that on there. We've also seen both. So we've seen some websites that essentially it's a Steam community login. You go and you log into your Steam account after you're logged in, it prompts you to say hey, there's new update, there's new software download this now so you can update. So not only do they get your credentials, they also get onto your box to refer your items. In terms of the domain names, those are split into two categories. The first category is called calling a brand abuse. So essentially what we saw before with the VoIP clients, whether it's Mumble or Ventrilo or Curse, think of any type of website that a gamer on Steam would visit whether it's a betting website or it's just the regular Steam website or it's a VoIP website. People perform different variations of those brands because they're very recognizable for women but very different to a machine. So it makes it very easy to trick somebody. Another type, image websites. So a lot of the times these traders, they put a lot of time and energy into this hobby. What they do is they not only trade items to each other, they actually sell items for real world currency. Valve doesn't officially support any type of exchange. They don't run an exchange themselves to kind of broker the deal. So there's player made ones. A lot of the times, and this is feedback coming directly from the traders on these subreddits, is in order to prove that they have some item or some type of funds, they go and they link Guiazzo or Imgur pictures to the person they want to trade with and they say, yep, this is my proof that I have $500 for this gun or I have this amount of money for a skin. But what it really is, it's just a JPEG, a .png or .ser file that shows that the file header is executable. This is really, really important because what I'll show in a little bit is that we do have websites like Imgur and Guiazzo. Those are like trusted. But what a lot of people are doing now and we have a lot of samples of this is just making a fake image website. So it's very discernible, very easy for a human to say, oh, if someone links me img23.com, that might be just some offshoot of Imgur or something that's just not as good. Just to kind of go over some of the brands for betting in trade, so for people that don't know about betting it is actually really, really huge in this community. There are professional matches, there are professional teams and they compete for a lot of money. Right now there's a termit going on called the international and the prize pool is $18 million. So there's five people per team and the first place team gets about $6 million to split between five. People bet on these games all the time and you can bet these items on these different websites. So because they use these a lot and because they're really engaged in this community, they're really engaged into watching these professional matches, it's very easy to trick somebody to thinking that they're visiting these websites. In terms of games, the main Steam website, steamcommunity.com you can go there, log into your profile, just perform various like Steam functions, go and talk to your friends, Dota 2 and CSGO as well. So still very, very effective. You can trick somebody very easily by just changing a letter out on one of those brands. And lastly, we already talked about this a lot but VoIP has been very, very popular as well. So tricking somebody thinking they have an outdated version of Mumble or that they need a special version to connect to a server in order to play in a tournament, that's what they use. The point here that the way they evolve and the way these over time have attacked the different people using this platform, this is an image of the different Steam community homograph and variations that we found. So it's about 100 different domains. The main domain is steamcommunity.com, all one word just like that. But if you go and you can look at this image, they'll replace an M with an N. Or they'll replace an M with an R and like very, very like old techniques. I mean these are things we've seen in the 2000s, right? And it's still useful for today. So of the URLs that we've collected we got about 230. We kind of broke it down a little bit more. I know before I said there were about three main ones but there's a couple that were related to social as well. The large percentage of the URLs that we've classified are actually just image variations. So it's a combination of that img23.com slash 1.png or a number in front and then image afterwards. It's just tricking people to thinking they're connecting to an image website. And when they connect to that and they download it they get the executable. It looks like a screenshot because they replace the icon but when they execute it they're infected. So I know we've talked about problems a lot. It's the Wild West but we're actually going to go into a little bit how Valve has responded to these because unlike traditional information security companies because they're a gaming company that their business model focuses on a micro economy they have implemented really interesting fixes to help combat this. So this is a form post it was on January of this year and essentially the person made a post and said hey I just tried giving away a Dota item to my friends and Steam forced me to check email verification in order to finalize the trade offer. Does anyone know anything about this? So Steam pushed out a silent update it is opt in and essentially by default turned on any time you commit a trade request and you go and let's just say I'm giving Rusty a gun or I want him to give him his banana 5.7 smokey business you get almost like a two factor off you get an email that says hey here's everything you have you're willing to trade everything the other person is willing to trade are you sure that you want to do this? So it was really interesting because instead of going and combating the links getting like antivirus installed in the Steam platform trying to educate their users they just threw this in. Pretty effective method really effective because this is a screenshot from a Reddit thread of the supposed maker of the Steam Stealer and essentially he said you know what one while it lasted I'm not giving out refunds you got to figure out a different way to scam people now we still continue to see it afterwards and the reason for that is because of this little configurable option in the Steam Client so essentially like I said opt in enable disabled but the key sentence here is the second sentence of disabled Steam support will also not provide you with any assistance in recovering items that were stolen from your account for any reason so it's essentially a liability play here the problem with the fix that they implemented it works for a regular user but for your kind of like power users that trade a lot, that bet a lot they actually run automated bots for Steam they would go and they would make tons of requests to trade out for a game they'll hedge items against certain games they'll look at certain investments and trends over time on Steam and how an item dips in price or raises in price based on what data it is they need this if you're looking at people who are just turning this off it was too much of a nuisance for them and because they turned it off Steam Stealer still works and Valve refuses to help them because of that pretty much contract right there so in April this year Valve put out another kind of silent like a silent patch into their system this was an article made on GameSpot on April 19th that essentially said Steam has decided to limit users who haven't spent at least $5 a game in the Steam platform or item from friend requesting people and from trading people so essentially it's increasing the cost a lot of the times these different bots that were used and were constructed there are dozens to hundreds of them they would essentially do a spray and pray do a ton of friend requests they had scripted everything out in terms of what they'll say to the person and how to respond to them and then issuing the link this got rid of that unless the Steam Stealer orders essentially go and spend the $5 per automated bot that they had so knowing that they did this fix we went back out to the trading subreddits and we asked them how many scam friend requests you got per day before the $5 fix and after the $5 fix now it's kind of a weird survey talking with a lot of the traders they said that they can tell based on a friend request on Steam whether or not that person is a scammer or not there are a lot of things they use to judge this as account age number of mutual friends their name the messages that they send them in the friend request so the whole community said that they're really really good at catching these so on the left you have the box plot there before the $5 fix the red square mean about 19 a day for most of these traders there's a pretty high variance in there and a couple outliers are significantly reduced there's not as much variance the mean is reduced by over half and there's still some outliers there as well so it was an effective fix and it's kind of one of those tug of wars that you have with information security problems in general you increase the cost of the attacker the attacker does something else you have to pivot and you have to keep implementing more and more fixes cool so I don't know how many of you were on Steam last week or if you watch Twitch or anybody else there's a password reset bypass that was in the Steam platform that was pretty awesome so for about three hours all of the major streamers on CSGO Dota 2 etc they were locked out of their accounts because attackers were going in and resetting their password and locking them out so this is a gif of how that actually works I'll let it loop back one more time but what you do is if you have their account name that's a reset field then you go and it says yes, reset the account for the e-mail address you click that you usually have to go confirm the e-mail address which is why it's like fstarstarstarstar at gstarstarstar but you could just hit okay and it would take you right past it so he's highlighting the thing it goes okay just right past it and now I get to reset whatever password I want about three hours on the Steam platform before Valve fixed it which was really interesting to hear the streamers sort of take on it because the subreddits were all in an uproar about everyone's going to lose their items and the world is coming to an end because Valve sucks in security the streamers didn't care because of all the previous security fixes that Valve had to put in place anytime your password is reset you are not allowed to trade for five days anytime a new device is connected to your account that device cannot trade for five days there's a few of the other interesting fixes there as well but basically what that meant is all of the password resets and the attackers hitting these accounts couldn't actually monetize the fact that they were able to log into people's accounts which was a serious tip of the hat to Valve so even though thousands of people were compromised nothing of value was actually lost that in the most non-ironically possible which is awesome okay so now that we went over the history of this past year of studying this type of malware and this type of attacks on Steam and on these different gamers we are going to implement a small forecast next 6 to 12 months in terms of the different TTPs we are using and the type of malware first big point is the image site homographs and phishing will be weapon of choice so what I mean by that as I said before instead of just trying to perform a homograph attack which is essentially you take my name Zach for example ZACK and you replace a letter with it people let's just say the A for example with a 4 people and humans can still see that and interpret that and know it's Zach works great for humans works terribly for computers so since we've seen a huge huge increase on these image sites they're going to be the weapon of choice it's a lot easier to generate these types of homographs it's not even technically a homograph just different variations of it screenshots will be used consistently by traders and buyers to verify whatever they need to verify when they're performing these trades next the malware is going to be more than just a stealer if you go and you google some of the malware families that we talked about specifically a steam stealer using more and more additional features specifically key loggers they already had remote access tools but you have someone who has an inventory that's worth thousands of dollars they're probably on a really sweet gaming rig that they spent a couple thousand dollars on they probably have something connected to their bank on their machine in the sense of they have a good enough amount of money that it might be a worthy target to drop something on there like a banking trojan it's more to this market, like I said than just virtual items it'd be great to use some of these as bitcoin miners a lot of these games require some pretty Gucci video cards so if you can go and take advantage of that you can really make some money off of this more than just the sites looks like we forgot one animation so now that we have a forecast we're going to give some recommendations at least it's kind of like recommendations to Valve and also recommendations from us just to the gaming community in general so Valve already has an anti-cheat system it's called VAC they have a security team there they responded in a couple hours to the password reset vulnerability see if they can get a platform security team we couldn't find anything that they did have a platform security team but even if they did something as small as text analytics and URL scanning where they have a Google safe browsing or fish tank-esque type of system it's a place where for every URL passed into a steam message if it's on this blacklist of URLs don't send it pretty low barrier to entry and it reduces the time for people finding these fishing sites and submitting a takedown request to these different domain registrars Valve kind of comes in and chips in for it you report it to Valve or they pull it from Google safe browsing or fish tank they detect it and they remove it people are saved so another recommendation is allow for platform plugins Steam and Valve in general are really really good when it comes to being open with the community in terms of game development so they have something called project greenlight you can go you can develop games for the steaming platform people vote the community votes on the game and then if it gets enough votes you get into the steam platform and then Valve will kind of publish it with you they should have something similar for plugins there's already a lot of people doing this already in terms of kind of taking the fight back to these steam punks and Valve can also please the marketplace they don't have to let it be the Wild West where anybody can submit an app they can have guidelines they can have different requirements for people when they submit the apps especially if it's a security one that lets them meet some type of standard that they think is worth putting into steam so for recommendations for we the gamers I'm going to say steam URL scanning capabilities but in browser there are a lot of plugins already in chrome and firefox that I use, I know netcraft has one I think mowerbytes has one and there are a couple other ones that essentially do this type of blacklist capabilities every time someone clicks on a link whether it's in team speak when you're connecting to a server and a message of the day comes up or it's in a steam message it opens up your browser steam does have a browser but it only lets plugins you can at least protect yourself from it there are people out there that are dedicating a lot of time to taking these URLs and getting them known to the security community and these extensions take advantage of that there are anti-fishing groups as well these are three right here essentially these are the guys that go out find these scammers, interact with them try to get URLs from them try to get file samples from them and just distribute them out to the security community the fish tank really really dedicated group of people and they also do something above and beyond just URLs a lot of the time scammers are profiled by these communities so trading communities are very tight-knit they know who's a good trader they know who's kind of like a shady trader and websites like FOG and steam rep they do exactly that when you're going out and you're trading if you want to go buy one from somebody go to these websites look up the user name they have a database full of them and then you can tell very quickly whether or not this person is trustworthy so we didn't have time to do it for this talk but one thing we are also releasing it is out now in the Chrome extension store it is a Chrome extension it doesn't do blacklisting capabilities it essentially detects homograph attacks for those different brands that we found very much like Google safe browsing if you use this platform a lot and you use Steam go and look this up on the Chrome store download it anytime there is a detected homograph attack for certain brands like betting sites like CSGO lounge, Dota 2 lounge or Steam community or even image websites this will detect it throw you into a Google safe browsing webpage tell you why it was thrown and then it will give you a couple options of what to do so that pretty much sums it up a couple of shout outs to the different subreddits that helped us out without them we wanted to have this awesome data and also advice banana I don't know his real name it is some dude in Germany but he essentially gets on IRC and just feeds me URLs and new samples and he is really active on the Steam rep website as well so we actually have a lot of interesting samples so if you guys are interested in taking a look at some of the samples and some of the evolution there as well hit me up on Twitter it's been really interesting seeing the evolution over the past year and I'm really glad we got to come here and show you guys so thanks