{
	"id": "55daab53-1241-4da9-82cf-91cfde8d9d2b",
	"created_at": "2026-04-06T01:32:17.762646Z",
	"updated_at": "2026-04-10T03:20:31.854951Z",
	"deleted_at": null,
	"sha1_hash": "85b269bd49930f6cbc3bf902e4190f43d52ac3e6",
	"title": "Fake sites stealing Steam credentials | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4067039,
	"plain_text": "Fake sites stealing Steam credentials | Zscaler\r\nBy Prakhar Shrotriya\r\nPublished: 2020-02-11 · Archived: 2026-04-06 00:49:19 UTC\r\nRecently, the Zscaler ThreatLabZ team came across multiple fake Counter-Strike: Global Offensive (CS:GO)\r\nskin websites aimed at stealing Steam credentials. These sites use an uncommon phishing technique that\r\nis difficult to detect. A similar campaign was seen in December 2019 and the campaign is still up with few\r\nenhancements, such as using a fake browser pop-up window for login along with some anti-analysis\r\ntechniques, which are discussed in this blog.\r\nSteam is a video game digital distribution service that provides automatic updates for various games. Steam has\r\nalso expanded into an online web-based and mobile digital storefront. Steam offers digital rights management\r\n(DRM), matchmaking servers, video streaming, and social networking services, and it provides users with\r\ninstallation and automatic updates of games as well as several community features.\r\nSteam is highly popular among gamers as it allows for multiplayer capabilities. How popular? According to\r\nstatistics on the company website, the Steam platform has between 10 and 20 million concurrent users playing on\r\nany given day. At the time of this publication, the Steam site was showing more than 700,000 users currently\r\nplaying CS:GO. The all-time peak number of concurrent users for CS:GO was 854,801. \r\nDue to its popularity, the Steam platform has also become a popular target for attack. Cybercriminals will attempt\r\nto hijack a Steam account so they can launch other scams and attacks and steal or trade the victim's items.  \r\nThe phishing site looks much like the real one. To make the phishing sites appear more legitimate, there is a fake\r\nchatbox with randomly selected phrases based on current events. The following screens show the phishing CS:GO\r\nsite (top) and the actual CS:GO site (bottom). \r\nFigure 1: Phishing CS:GO site\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 1 of 12\n\nFigure 2: Legitimate CS:GO site\r\nTo perform a custom search or add items to a cart, users are asked to sign in with their Steam credentials. As the\r\nuser clicks on the “Sign in through STEAM” button, a Steam login window pops up.\r\nFigure 3: The Steam login window\r\nNormally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate,\r\nwhether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others.\r\nIn this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using\r\nHTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of\r\nthe window as it is not a legitimate browser pop-up and is created using HTML in the current window.\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 2 of 12\n\nFigure 4: The fake browser pop-up window disappears beyond the edge\r\nFigure 5: The fake browser pop-up window created using HTML\r\nFrom the above screenshot, you can see that the browser header, address bar, and buttons to resize the window all\r\nare designed in HTML. Attackers have designed it precisely to make it look legitimate; for example, the color of\r\nthe domain is slightly darker than the URI portion, and the color of the HTTPS part changes on mouseover.\r\nWhen the victim clicks on the “Sign in through STEAM” button, the above discussed fake browser pop-up gets\r\nloaded from the below URL.\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 3 of 12\n\nFigure 6: The fake Steam login page, which is used as a pop-up on the main page\r\nIf a user falls for this phishing and enters the login credentials, the credentials are sent to the attacker and the user\r\nis redirected to the legitimate site (hxxps://bitskins[.]com).\r\nThis phishing campaign also uses some anti-analysis techniques by detecting if the console is open in the browser.\r\nIn this way, it prevents users from looking into the code directly. Below is the obfuscated JavaScript used to detect\r\nif the console is open.\r\nFigure 7: The obfuscated JavaScript to detect a browser console\r\nAfter two levels of deobfuscation, we can see the script that detects whether the browser console is open. If it is\r\nopen, the script activates a function, debug322(), which executes a “debugger” statement to stop the execution of\r\nthe code.\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 4 of 12\n\nFigure 8: The deobfuscated code to detect the browser console\r\nFigure 9: The execution of the “debugger” statement as the console is opened\r\nAs of now, ThreatLabZ has detected more than 200 domains as part of this campaign, and there are multiple other\r\ntemplates used in this campaign with similar functionalities, as discussed above.\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 5 of 12\n\nFigure 11: Some of the different templates used in this campaign\r\nConclusion\r\nPhishing campaigns are getting more sophisticated day by day, and attackers are using new and lesser-known\r\ntechniques in these campaigns. Most of the common checks that a user does before entering the login credentials\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 6 of 12\n\nto any website may not work in this campaign, such as checking the domain, use of HTTPS, etc. The Zscaler\r\nThreatLabZ team is actively working on detecting and providing coverage from such attacks.\r\nAs always, our best advice to protect yourself is to only log in to Steam directly from the steampowered.com\r\ndomain. If you are using another site that wants to log in through Steam, be sure to thoroughly research the site\r\nbefore entering any login credentials.\r\nIOCs\r\naladdinhub[.]fun\r\nallskinz[.]xyz\r\nano-skinspin[.]xyz\r\nanomalyknifes[.]xyz\r\nanomalyskin[.]xyz\r\nanomalyskinz[.]xyz\r\nanoskinzz[.]xyz\r\nberrygamble[.]com\r\nbit-skins[.]ru\r\nbitknife[.]xyz\r\nbitskines[.]ru\r\nchallengeme[.]vip\r\nchallengeme[.]in\r\nchallengme[.]ru\r\ncmepure[.]com\r\ncmskillcup[.]com\r\ncounterpaid[.]xyz\r\ncounterspin[.]top\r\ncounterstrikegift[.]xyz\r\ncs-beast[.]xyz\r\ncs-lucky[.]xyz\r\ncs-pill[.]xyz\r\ncs-prizeskins[.]xyz\r\ncs-prizeskinz[.]xyz\r\ncs-simpleroll[.]xyz\r\ncs-skinz[.]xyz\r\ncs-smoke[.]xyz\r\ncs-spinz[.]xyz\r\ncs-victory[.]xyz\r\ncsallskin[.]xyz\r\ncsbuyskins[.]in\r\ncscoat[.]eu\r\ncsgo-analyst[.]com\r\ncsgo-cash[.]eu\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 7 of 12\n\ncsgo-steamanalyst[.]net\r\ncsgo-swapskin[.]com\r\ncsgo-trade[.]net\r\ncsgo-up[.]com\r\ncsgobeats[.]com\r\ncsgocase[.]one\r\ncsgocashs[.]com\r\ncsgocheck[.]ru\r\ncsgocompetive[.]com\r\ncsgodetails[.]info\r\ncsgodreamer[.]com\r\ncsgodrs[.]com\r\ncsgoelite[.]xyz\r\ncsgoencup[.]com\r\ncsgoevent[.]xyz\r\ncsgoindex[.]ru\r\ncsgoitemdetails[.]com\r\ncsgoitemsprices[.]com\r\ncsgoko[.]tk\r\ncsgomarble[.]xyz\r\ncsgomarketplace[.]net\r\ncsgomarkets[.]net\r\ncsgoprocupgo[.]com\r\ncsgorcup[.]com\r\ncsgorose[.]com\r\ncsgoroyalskins1[.]com\r\ncsgoskill[.]ru\r\ncsgoskinprices[.]com\r\ncsgoskinsinfo[.]com\r\ncsgoskinsroll[.]com\r\ncsgosteamanalysis[.]com\r\ncsgosteamanalyst[.]ru\r\ncsgoteammate[.]gq\r\ncsgothunby[.]com\r\ncsgotrades[.]net\r\ncsgovip[.]ru\r\ncsgoxgiveaway[.]ru\r\ncsgozone[.]net[.]in\r\ncsgunskins[.]xyz\r\ncsmoneyskinz[.]xyz\r\ncsmvcecup[.]com\r\ncsprices[.]in\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 8 of 12\n\ncsskillpro[.]xyz\r\ncsskinz[.]xyz\r\ncstournament[.]ru\r\ncsxrnoney[.]com\r\ncybergamearena[.]ru\r\nd2cups[.]com\r\nd2faceit[.]com\r\ndeamonbets[.]ru\r\ndemonbets[.]ru\r\ndiablobets[.]com\r\ndoatgiveaway[.]top\r\ndopeskins[.]com\r\ndota2fight[.]ru\r\ndota2fight[.]net\r\ndota2giveaway[.]top\r\ndota2giveaways[.]top\r\ndotafights[.]vip\r\ndotagiveaway[.]win\r\nearnskinz[.]xyz\r\nemeraldbets[.]ru\r\nesportgaming[.]ru\r\nevent-games4roll[.]com\r\nexchangeuritems[.]gq\r\nextraskinscs[.]xyz\r\nezwin24[.]ru\r\nfaceiteasyleague[.]ru\r\nfireopencase[.]com\r\nfree-skins[.]ru\r\ngame4roll[.]com\r\ngameluck[.]ru\r\ngames-roll[.]ru\r\ngames-roll[.]ml\r\ngames-roll[.]ga\r\ngiveawayskin[.]com\r\nglobal-skins[.]gq\r\nglobalcsskins[.]xyz\r\nglobalskins[.]tk\r\ngoldendota[.]com\r\ngoodskins[.]gq\r\ngosteamanalyst[.]com\r\ngtakey[.]ru\r\nhellgiveaway[.]trade\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 9 of 12\n\nhltvcsgo[.]com\r\nhltvgames[.]net\r\nknifespin[.]top\r\nknifespin[.]xyz\r\nknifespin[.]top\r\nknifespins[.]xyz\r\nknifez-roll[.]xyz\r\nknifez-win[.]xyz\r\nleague-csgo[.]com\r\nlehatop-01[.]ru\r\nloungeztrade[.]com\r\nlucky-skins[.]xyz\r\nmakson-gta[.]ru\r\nmaxskins[.]xyz\r\nmvcsgo[.]com\r\nmvpcup[.]ru\r\nmvptournament[.]com\r\nmygames4roll[.]com\r\nnight-skins[.]com\r\nownerbets[.]com\r\nplayerskinz[.]xyz\r\nrangskins[.]com\r\nroll-skins[.]ru\r\nroll4knife[.]xyz\r\nrollknfez[.]xyz\r\nrollskin-simple[.]xyz\r\ncsgo-market[.]ru[.]com\r\nsakuralive[.]ru[.]com\r\ncsgocupp[.]ru[.]com\r\ncsgoeasywin[.]ru[.]com\r\ncsgocybersport[.]ru[.]com\r\ncsgocheck[.]ru[.]com\r\ncsgo-market[.]ru[.]com\r\ncsgoindex[.]ru[.]com\r\nrushbskins[.]xyz\r\nrushskins[.]xyz\r\ns1mple-spin[.]xyz\r\nsimple-knifez[.]xyz\r\nsimple-win[.]xyz\r\nsimplegamepro[.]ru\r\nsimpleroll-cs[.]xyz\r\nsimplespinz[.]xyz\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 10 of 12\n\nsimplewinz[.]xyz\r\nskin-index[.]com\r\nskin888trade[.]com\r\nskincs-spin[.]xyz\r\nskincs-spin[.]top\r\nskinmarkets[.]net\r\nskins-hub[.]top\r\nskins-info[.]net\r\nskins-jungle[.]xyz\r\nskinsboost[.]ru\r\nskinsdatabse[.]com\r\nskinsind[.]com\r\nskinsmind[.]ru\r\nskinspace[.]ru\r\nskinsplane[.]com\r\nskinsplanes[.]com\r\nskinsplanets[.]com\r\nskinxmarket[.]site\r\nskinz-spin[.]top\r\nskinz-spin[.]xyz\r\nskinzjar[.]ru\r\nskinzprize[.]xyz\r\nskinzspin-cs[.]xyz\r\nskinzspinz[.]xyz\r\nspin-games[.]com\r\nspin4skinzcs[.]top\r\nspin4skinzcs[.]xyz\r\nspinforskin[.]ml\r\nsponsored-simple[.]xyz\r\nstaffstatsgo[.]com\r\nstarrygamble[.]com\r\nstat-csgo[.]ru\r\nstats-cs[.]ru\r\nsteam-analyst[.]ru\r\nsteamanalysts[.]com\r\nsteamgamesroll[.]ru\r\nstewie2k-giveaway-150days[.]pro\r\nsunnygamble[.]com\r\nswapskins[.]live\r\ntest-domuin2[.]com\r\ntest-domuin3[.]ru\r\ntest-domuin4[.]ru\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 11 of 12\n\ntest-domuin5[.]ru\r\ntournamentt[.]com\r\nwaterbets[.]ru\r\nultimateskins[.]xyz\r\nwin-skin[.]top\r\nwin-skin[.]xyz\r\nwinknifespin[.]xyz\r\nwinskin-simple[.]xyz\r\nwinskins[.]top\r\nwintheskin[.]xyz\r\n \r\nSource: https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nhttps://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials"
	],
	"report_names": [
		"fake-sites-stealing-steam-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775439137,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85b269bd49930f6cbc3bf902e4190f43d52ac3e6.pdf",
		"text": "https://archive.orkl.eu/85b269bd49930f6cbc3bf902e4190f43d52ac3e6.txt",
		"img": "https://archive.orkl.eu/85b269bd49930f6cbc3bf902e4190f43d52ac3e6.jpg"
	}
}