Twitch is warning users against clicking on any links on the video game streaming website's chat feature after malicious software was found infiltrating Twitch user accounts and to be "able to wipe your Steam wallet, armory and inventory dry."
Security PSA: Do not click the "csgoprize" link in chat. This is a phishing attempt to install malware and compromise your Steam account.^JM
— Twitch Support (@TwitchSupport) Sept. 12, 2014
Finnish security firm F-Secure first reported the malware, which it is calling Eskimo. F-Secure's FSLabs said in a blog post on Sunday that it has received a report from "a concerned user" that an automated Twitch account was sending malware to Twitch users via the website's chat feature and asking them to click on a link that will supposedly enter them in a raffle for items used for "Counter-Strike: Global Offensive," one of the most popular games streamed on Twitch.
When the user clicks on the link, he is asked to enter his name and email address, which F-Secure says is pretty useless since the information does not get sent anywhere. It is simply a ploy to distract users as the automated account installs a Windows binary file that can take over the user's account in gaming shop Steam. From there, hackers can take over the user's Steam account even without knowing his password because the attack happens while the user is already logged on to the system.
Eskimo allows the hacker to do a variety of things, including sell the user's uninteresting items for a steep discount and use the money made from those sales to buy valuable items, which will then be traded with the hacker's own account. It can also take screenshots of the user's account, add new friends and accept pending friend requests, and buy items using the account owner's money.
"Previous variants were selling items with a 12 percent discount," writes F-Secure. "But a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster."
Steam users affected by the malware have taken to the Steam forums to say that most of their valuable items are traded to an account named Youni. The account owner of Youni has yet to be tracked down, which should not be difficult for Steam as every Steam account is linked to a physical computer.
In the meantime, Twitch has already disabled the malicious link to prevent users from accidentally downloading malware into their systems, but continues to caution users against clicking on links from people they don't know.
"Please note that we give all broadcasters the option to disable links in their chat which can easily prevent this," adds Twitch.