Fake EV certificates used in Steam trade phishing attacks

An extremely convincing phishing attack that impersonates a multi-game skin trade bot appears to be using a fake Extended Validation TLS certificate to steal Steam accounts.

A fake Extended Validation certificate indicator.

The phishing site displaying a fake Extended Validation certificate indicator.

The ongoing phishing attack impersonates TradeIt.gg, which facilitates the trading of skins, weapons and other in-game commodities within popular games like CS:GO, TF2 and DOTA.

When a victim attempts to sign in through Steam to view their inventory on the spoof trading site, Steam's OpenID login form opens in a new window, clearly displaying its use of an Extended Validation certificate issued to Valve Corp...


... or does it?

Extended Validation (EV) certificates offer the highest level of assurance that a website is being operated by a bona fide legal entity, which is why phishers like to make use of them whenever they can. EV certificates typically cost more than both domain and organisation validated certificates, as the issuance process involves a more stringent vetting process.

However, in this case, the fraudster has bypassed all of the expenses and vetting requirements by simply presenting a fake — yet very convincing — EV certificate indicator next to the address bar.

Closer inspection reveals that the Steam login page is also a spoof form, and it is not actually being displayed in a new browser window at all – it is being shown in an interactive, movable iframe that behaves like a window, allowing the fraudster to dress the "window" up however he likes. The tell-tale feature to look out for here is that the fake window cannot be maximized or moved beyond the boundaries of the spoof trading website.

Needless to say, when a victim submits their Steam credentials into this fake window, they will be stolen by a PHP script on the phishing site. The phisher can then monetize the compromised Steam account by selling it directly or by trading the victim's valuable in-game commodities.

Fraudsters have a long history of exploiting user interface redressing vulnerabilities to make better phishing attacks. More than 14 years ago, Netcraft's anti-phishing toolbar community discovered a particularly fiendish set of examples that exploited a vulnerability in Microsoft Internet Explorer, which allowed part of the webpage to be placed on top of the browser's own address bar.

An extremely convincing PayPal phishing attack that took place back in 2005. A bug in IE made it possible for page elements to be placed outside of the browser's viewport, allowing the attacker to place a fake paypal.com address on top of the browser's real address bar, thus hiding the true location of the fraudulent website.

An extremely convincing PayPal phishing attack that took place back in 2005. A bug in IE made it possible for page elements to be placed outside of the browser's viewport, allowing the attacker to place a fake paypal.com address on top of the browser's real address bar, thus hiding the true location of the fraudulent website.

There are often resurgences in these types of attack, but the certificate and address spoofing techniques are usually forced to change as browser security improves and becomes more restrictive. No doubt there will be more attacks like these in the future, as phishing site developers continue to evolve new tricks.

Netcraft has been protecting consumers against phishing attacks for 15 years. You can enjoy the best protection against the latest attacks, including this Steam trading attack, by installing the desktop Netcraft Extension and Netcraft app for Android.

Most Reliable Hosting Company Sites in February 2019

Rank Performance Graph OS Outage
DNS Connect First
1 Rackspace Linux 0:00:00 0.000 0.652 0.009 0.021 0.021
2 Bigstep Linux 0:00:00 0.000 0.227 0.073 0.147 0.147
3 One.com Linux 0:00:00 0.000 0.378 0.088 0.263 0.263
4 GoDaddy.com Inc Linux 0:00:00 0.005 0.417 0.007 0.021 0.022
5 Hyve Managed Hosting Linux 0:00:00 0.005 0.165 0.069 0.139 0.139
6 Pair Networks unknown 0:00:00 0.005 0.334 0.093 0.187 0.187
7 www.choopa.com Linux 0:00:00 0.009 0.263 0.012 0.036 0.036
8 EveryCity SmartOS 0:00:00 0.009 0.226 0.070 0.339 0.339
9 CWCS Managed Hosting Linux 0:00:00 0.009 0.289 0.077 0.155 0.155
10 Webair Linux 0:00:00 0.009 0.325 0.080 0.160 0.161

See full table

Rackspace had the most reliable hosting company site in February 2019, and has now appeared in the top 10 eight times in the past 12 months. Rackspace offers a range of managed dedicated and cloud hosting solutions.

The top three hosting company sites responded to each of Netcraft's requests in February. Bigstep appears in second place, making February the third consecutive month it has appeared in the top three. Bigstep offers "bare metal" cloud hosting with the flexibility of virtual machines while also providing the isolation and efficiency of bare metal. One.com returns to the top 10 for the first time since October 2018. One.com offers a variety of internet services including a no-code website builder, 1-click WordPress installations, domain registrations and email hosting.

The next sites, placed fourth to sixth, failed to respond to one request from Netcraft. In fourth place is GoDaddy with the fastest average connection speed of 7ms. Hyve Managed Solutions appears in the top 10 for the fourth consecutive month, this time in fifth place. Pair Networks came sixth, with an average connection time of 93ms. The next four sites that made up the top 10 failed to respond to two requests from Netcraft in February 2019.

This month Linux is used by eight of the top 10, remaining the most popular choice. SmartOS makes an appearance in eighth place with EveryCity.

Netcraft measures and makes available the response times of around twenty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.