Pending Report: 76561198148407225 - ([CSGO] Counter-Strike: Global Offensive Items)

Scam Report

Report Type: [Accomplice] Alternate account of hijacker or scammer
Virtual item type involved: [CSGO] Counter-Strike: Global Offensive Items

Accused profile: 76561198148407225

Victim profile: 76561197980089026

What happened? Description:

This user has managed to scam me somehow. I have no words for how frustrating this is... I believe this to be the result of my recent negligence in attempting to enter a 'free' giveaway as offered by 'http://csgoraffle.net/' -- and I quickly found out this site no longer exists (I'm sure it was taken down last night). I realize this is a mistake of my own, but I am usually very cautious about these things and I thought it was legit... only because it was being streamed on Twitch.tv.

The user in question had created a Java executable script (JAR), when run, would be able to access people's Steam accounts via trade offers / etc. It's undetermined at this time what other information may have been compromised on each victim's machine if other malicious intentions are at work. To help address the validity of my statements / questions above, I am including the source script and screen captures of the incident. Any and all information would be greatly appreciated to help combat this problem and bring the perpetrator to justice via the Steam community.

I will not trust anything remotely suspicious in the future. You'll notice I am not friends with this person at all and my account is in good standing with close to ~1000 hours in this game.​

Provide Evidence:

I have no knowledge of this trade even happening... meaning there was some kind of exploit / vulnerability exposed in the Steam client software itself, which allowed this to go through behind the scenes. I have no doubt the code embedded in the attached JAR file is responsible for this item hijacking. Could someone please investigate this further and verify exactly what that does? I would imagine we need to decompile it and look at the source to find these answers.​

In case anyone was wondering how this turned out... see final Steam Support reply below:

"We have a strict item restoration policy and in this case items will not be restored.

If you have not already done so, please report the user as instructed previously and we will investigate the report.

For more information on how to avoid and prevent scams in the future, please read our Recommended Trading Practices:
https://support.steampowered.com/kb_article.php?ref=8912-WEYU-8454

If you wish to purchase or sell items, please use the Community Market:
http://steamcommunity.com/market/"

...And my response:

"OK. Fine then, have it your way. Just know that many others have been wronged in the same way as me with seemingly no recourse according to your strict 'policy'. Meanwhile, it's understood that you profit significantly from the Community Market, thereby incentivizing the very activities you purport to mitigate. I mean... why bother going out of your way to harden your software security / close any loopholes/exploits/vulnerabilities when you serve to benefit from my misfortune, right? Heck, I'll bet CSGO bucks are flowing in at an all-time high. If anything... I would almost go so far as to say you are complicit with the very same people that take advantage of this system. From what I gather, these cases are closed with canned responses that exemplify your lack of a thorough investigation and common sense. With that out of the way, let me just say that my faith in this community is officially dead. I've donated what's left of my sizeable collection to a Twitch streamer that I follow and respect. Furthermore, I will no longer be entertaining the idea of the CSGO cosmetics marketplace; it's a very poor investment."

FYI -- http://www.theverge.com/2014/9/12/6141633/twitch-chat-malware-is-emptying-gamers-steam-accounts

http://whois.to/csgoraffle.net

They pulled the server, domain is still regged, but they used a whoisguard, so you wont see registrant:

you'd have to sue at "namecheap.com" etc.
but as its panama....

SilentReaper, appreciate your feedback on this. I hadn't actually checked the domain registrar (the thought slipped my mind at the time), but I had tracked down the server when this incident was still fresh:

Tracing route to csgoraffle.net [5.39.9.108]
over a maximum of 30 hops:

1 <1 ms <1 ms 3 ms router.asus.com [192.168.5.1]
2 27 ms 23 ms 28 ms bundle1.rochnyhly-ubr02.nyroc.rr.com [67.246.240.1]
3 12 ms 11 ms 12 ms gig9-5.faptnyal-rtr002.wny.northeast.rr.com [24.93.9.78]
4 95 ms 14 ms 14 ms rdc-72-230-153-12.wny.east.twcable.com [72.230.153.12]
5 65 ms 36 ms 30 ms rdc-72-230-153-243.wny.east.twcable.com [72.230.153.243]
6 71 ms 30 ms 31 ms ae-3-0.cr0.chi10.tbone.rr.com [66.109.6.72]
7 32 ms 29 ms 32 ms ae4.pr1.chi10.tbone.rr.com [66.109.1.66]
8 28 ms 29 ms 29 ms ix-27-0.tcore2.CT8-Chicago.as6453.net [64.86.79.97]
9 29 ms 29 ms 30 ms if-22-2.tcore1.CT8-Chicago.as6453.net [64.86.79.2]
10 31 ms * * chi-2-6k.il.us [178.32.135.146]
11 178 ms 202 ms 202 ms 198.27.73.179
12 * * * Request timed out.
13 * * * Request timed out.
14 121 ms 121 ms 122 ms rbx-g2-a9.fr.eu [91.121.128.193]
15 118 ms 119 ms 122 ms vss-6a-6k.fr.eu [91.121.128.40]
16 121 ms 118 ms 120 ms solusvm.tech-hosts.co.uk [176.31.236.194]
17 122 ms 123 ms 123 ms 5.39.9.108

^^^https://www.tech-hosts.co.uk/^^^ -- with host: 'solusvm'

I filed a case with them, but they can't give me any information due to the data protection act; only law enforcement can act on it.

Owner of that IP 5.39.9.108 just recently (21th of May 2014) started providing hosting services under 100hosting.net. Site is still under develpoment. There are few people from the hacking community acting as his customers. So the malware authors are one of them. I know the hosting provider by alias and by real name and he doesn't seem to be the malware author.

csgoraffle.com, csgoprize.com, instantviews.net and cloudhub.no-ip.org are all owned by the malware author. Last two point to dedicated server 162.218.209.98 and is acting as a command and control server for the malware. Instantviews.net also serves one variant of the malware used for increasing twitch.tv view counts. According to whois record it is registered by some one named Carl Koch but that is fake name as there are no street called Tusindfrydsvej in Brande, Denmark.

csgoraffle.net is owned by the malware author. Not csgoraffle.com. I don't seem to be able to edit previous post..

Deiv, that's insightful. Thank you for providing this information. I assumed the '5.39.9.108' was owned by the previous hop's host.

"So the malware authors are one of them. I know the hosting provider by alias and by real name and he doesn't seem to be the malware author."
- Seeing as how the site is still under development (and his client base is very small), my initial conclusion is that he either a.) is the author or b.) is conspiring with the author... so that's a bit concerning.

I just saw this article: http://www.pcgamer.com/2014/09/15/c...ffensive-causes-steam-grief-for-twitch-users/

I'm just curious to know if Valve plans on taking action, or just hoping this whole thing goes away... who knows.

"I assumed the '5.39.9.108' was owned by the previous hop's host."

Tech-hosts.co.uk hosting provider provides different kinds of hosting services. For example shared hosting where there are many customers' domains hosted behind single IP address. Then there are different kinds of dedicated hosting services (eg. OpenVZ) where single IP address is owned by one of their customer (he/she has root access to the machine). This 5.39.9.108 IP address is not part of their shared hosting IP address ranges. It belongs to a single customer. This is also confirmed by the fact that their shared hosting IP addresses host more than 400 domains. This 5.39.9.108 only hosts 1 to 6 domains.

There are or were many domains hosted under that IP address. Oldest of those is the one belonging to owner of the 100hosting.net hosting provider. Some of the other domains are easily linked to aliases (and real names) asking for hosting services from the 100hosting.net owner in hacking forums.

"Seeing as how the site is still under development (and his client base is very small), my initial conclusion is that he either a.) is the author or b.) is conspiring with the author... so that's a bit concerning."

100hosting.net provider is ok with malware activity in his server. That is part of the point of offering hosting services in hacking forums. Also some of the other domains hosted there act as a command and control server for other malware. But those domains or malware are not related to this case. In this regard it is kind of hard to say 100hosting.net provider is directly involved. He also doesn't seem to know enough .NET to code such malware.

Your machine might still be infected with the malware if you haven't cleaned it up. It is not enough to delete the JAR/Java program in order to remove the malware.