{"id":29742,"date":"2021-09-27T11:43:51","date_gmt":"2021-09-27T15:43:51","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/29742\/"},"modified":"2021-09-29T22:41:20","modified_gmt":"2021-09-29T11:41:20","slug":"bloodystealer-and-gaming-accounts-in-darknet","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/29742\/","title":{"rendered":"BloodyStealer is hunting for gamers"},"content":{"rendered":"<p>In March this year, our experts <a href=\"https:\/\/securelist.com\/bloodystealer-and-gaming-assets-for-sale\/104319\/\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> an ad on an underground forum for a piece of malware dubbed BloodyStealer by its creators.<\/p>\n<p>The ad states that it steals following data from infected devices:<\/p>\n<ul>\n<li>Passwords, <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/cookie\/\" target=\"_blank\" rel=\"noopener\">cookies<\/a>, bank card details, browser autofill data;<\/li>\n<li>Device data;<\/li>\n<li>Screenshots;<\/li>\n<li>Desktop and uTorrent client files;<\/li>\n<li>Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/session-theft-session-hijacking\/\" target=\"_blank\" rel=\"noopener\">sessions<\/a>;<\/li>\n<li>Logs.<\/li>\n<\/ul>\n<div id=\"attachment_42161\" style=\"width: 1770px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031830\/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42161\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031830\/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png\" alt=\"BloodyStealer ad\" width=\"1760\" height=\"860\" class=\"size-full wp-image-29762\"><\/a><p id=\"caption-attachment-42161\" class=\"wp-caption-text\">BloodyStealer ad. <a href=\"https:\/\/twitter.com\/3xp0rtblog\/status\/1380087553676697617\" target=\"_blank\" rel=\"noopener nofollow\">Source<\/a><\/p><\/div>\n<p>What struck us was that most of the listed programs are game-related, which suggests that gamer accounts and their contents are in demand on the underground market. We decided to examine in detail exactly what risks gamers face.<\/p>\n<h2>BloodyStealer conquers the world<\/h2>\n<p>Although BloodyStealer is relatively new, it is already globe-trotting. According to our data, the malware has hit users in Europe, Latin America, and the Asia-Pacific region \u2014 not so surprising given its <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/malware-as-a-service-maas\/\" target=\"_blank\" rel=\"noopener\">malware-as-a-service (MaaS)<\/a> distribution model, meaning anyone can buy it and the price is quite low (about $10 per month or roughly $40 for a \u201clifetime license\u201d).<\/p>\n<p>In addition to its theft functions, the malware has a set of tools meant to thwart analysis (read more about them <a href=\"https:\/\/securelist.com\/bloodystealer-and-gaming-assets-for-sale\/104319\/\" target=\"_blank\" rel=\"nofollow noopener\">here<\/a>). It sends stolen information as a ZIP archive to the C&amp;C server, which is protected against DDoS and other Web attacks. The cybercriminals use either the (quite basic) control panel or Telegram to get the data, including gamer accounts.<\/p>\n<h2>Not by BloodyStealer alone<\/h2>\n<p>BloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Cybercriminals sell other types of malware, many of which have been on the market longer than BloodyStealer. In addition, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically.<\/p>\n<div id=\"attachment_42162\" style=\"width: 2058px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031843\/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42162\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031843\/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png\" alt=\"Cybercriminal sells BlackMafia phishing tool to create fake PUBG pages\" width=\"2048\" height=\"375\" class=\"size-full wp-image-29745\"><\/a><p id=\"caption-attachment-42162\" class=\"wp-caption-text\">Cybercriminal sells BlackMafia phishing tool to create fake PUBG pages<\/p><\/div>\n<p>With the aid of these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.<\/p>\n<h2>Logs for wholesale access<\/h2>\n<p>Among the most popular products are so-called <em>logs<\/em> \u2014 databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected, and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey, and Canada. The entire archive costs $150 (about 0.2 cents per record).<\/p>\n<div id=\"attachment_42163\" style=\"width: 1290px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031853\/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42163\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031853\/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png\" alt=\"Dark-web ad for the sale of logs for August 2021\" width=\"1280\" height=\"780\" class=\"size-full wp-image-29747\"><\/a><p id=\"caption-attachment-42163\" class=\"wp-caption-text\">Dark-web ad for the sale of logs for August 2021<\/p><\/div>\n<p>That said, these databases can contain outdated or even useless information, and so some sellers let buyers check the logs to confirm they\u2019re up to date.<\/p>\n<div id=\"attachment_42164\" style=\"width: 2058px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031903\/bloodystealer-and-gaming-accounts-in-darknet-screen-4.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42164\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031903\/bloodystealer-and-gaming-accounts-in-darknet-screen-4.png\" alt=\"Another dark-web ad: Fresh logs for $300 per 1,000 records\" width=\"2048\" height=\"703\" class=\"size-full wp-image-29749\"><\/a><p id=\"caption-attachment-42164\" class=\"wp-caption-text\">Another dark-web ad: Fresh logs for $300 per 1,000 records<\/p><\/div>\n<h2>Gamer accounts, games, and inventory<\/h2>\n<p>Cybercriminals sell access to specific gaming accounts as well, both individually and wholesale. Unsurprisingly, accounts with many games, add-ons, and expensive items hold particular value. Typically cybercriminals sell them at huge discounts.<\/p>\n<div id=\"attachment_42165\" style=\"width: 1326px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031914\/bloodystealer-and-gaming-accounts-in-darknet-screen-5.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42165\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031914\/bloodystealer-and-gaming-accounts-in-darknet-screen-5.png\" alt=\"A cybercriminal selling 280,000 gamer accounts for just $4,000\" width=\"1316\" height=\"602\" class=\"size-full wp-image-29751\"><\/a><p id=\"caption-attachment-42165\" class=\"wp-caption-text\">A cybercriminal selling 280,000 gamer accounts for just $4,000<\/p><\/div>\n<p>Account content is also traded, again for a fraction of its real value. On the dark web, for example, you can find <em>Need for Speed<\/em> and other titles selling for less than 50 cents.<\/p>\n<div id=\"attachment_42166\" style=\"width: 1600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031924\/bloodystealer-and-gaming-accounts-in-darknet-screen-6.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42166\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031924\/bloodystealer-and-gaming-accounts-in-darknet-screen-6.png\" alt=\"Games from stolen accounts are sold for a song\" width=\"1590\" height=\"408\" class=\"size-full wp-image-29753\"><\/a><p id=\"caption-attachment-42166\" class=\"wp-caption-text\">Games from stolen accounts are sold for a song<\/p><\/div>\n<p>In-game items are also in circulation.<\/p>\n<div id=\"attachment_42167\" style=\"width: 1610px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031933\/bloodystealer-and-gaming-accounts-in-darknet-screen-7.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42167\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/09\/28031933\/bloodystealer-and-gaming-accounts-in-darknet-screen-7.png\" alt=\"Discounted skins on the underground market\" width=\"1600\" height=\"660\" class=\"size-full wp-image-29755\"><\/a><p id=\"caption-attachment-42167\" class=\"wp-caption-text\">Discounted skins on the underground market<\/p><\/div>\n<h2>How to avoid falling victim to BloodyStealer and other thieves<\/h2>\n<p>Having games and in-game items sold off is not the only problem that awaits the owner of a stolen account. Cybercriminals or buyers (it makes little difference to the victim) can use the account to launder money, distribute phishing links, and do other illegal things. To avoid falling prey to cybercriminals, make sure your accounts and devices are secure.<\/p>\n<ul>\n<li>Protect your accounts with strong passwords, enable two-factor authentication, and generally max out the platform\u2019s security settings (see our guides for <a href=\"https:\/\/www.kaspersky.com\/blog\/steam-privacy-security\/33981\/\" target=\"_blank\" rel=\"noopener nofollow\">Steam<\/a>, <a href=\"https:\/\/www.kaspersky.com\/blog\/battlenet-privacy-security\/37490\/\" target=\"_blank\" rel=\"noopener nofollow\">Battle.net<\/a>, <a href=\"https:\/\/www.kaspersky.com\/blog\/origin-privacy-security\/37602\/\" target=\"_blank\" rel=\"noopener nofollow\">Origin<\/a>, <a href=\"https:\/\/www.kaspersky.com\/blog\/twitch-privacy-security\/34519\/\" target=\"_blank\" rel=\"noopener nofollow\">Twitch<\/a>, and <a href=\"https:\/\/www.kaspersky.com\/blog\/discord-privacy-security\/38546\/\" target=\"_blank\" rel=\"noopener nofollow\">Discord<\/a> users).<\/li>\n<li>Download apps only from official sources to minimize the chances of picking up BloodyStealer or other malware.<\/li>\n<li>Be wary of links in e-mails and messages from strangers.<\/li>\n<li>Before entering your credentials on any website, make sure it\u2019s genuine.<\/li>\n<li>Use a reliable security solution. For example, <a href=\"https:\/\/www.kaspersky.com.au\/premium?icid=au_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a> blocks BloodyStealer <a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-settings-for-steam\/35875\/\" target=\"_blank\" rel=\"noopener nofollow\">and doesn\u2019t interfere with gameplay<\/a>.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksc-gaming\">\n","protected":false},"excerpt":{"rendered":"<p>Gamer accounts are in demand on the underground market. Proof positive is BloodyStealer, which steals account data from popular gaming stores.<\/p>\n","protected":false},"author":2477,"featured_media":29757,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2646],"tags":[1853,3471,3402,647,2636,164,611],"class_list":{"0":"post-29742","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-tips","9":"tag-bloodystealer","10":"tag-darknet","11":"tag-gamers","12":"tag-origin","13":"tag-steam","14":"tag-telegram"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/29742\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/23376\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/18845\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/25440\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/23509\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/22939\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/26076\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/25668\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/31536\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/10087\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/42157\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/17771\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/18161\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/27452\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/27646\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/bloodystealer-and-gaming-accounts-in-darknet\/24377\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bloodystealer-and-gaming-accounts-in-darknet\/29538\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/gamers\/","name":"gamers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/29742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2477"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=29742"}],"version-history":[{"count":15,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/29742\/revisions"}],"predecessor-version":[{"id":29769,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/29742\/revisions\/29769"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/29757"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=29742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=29742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=29742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}