Cyber101: Nothing is Ever Really Free

A reader wrote in to ask: “I saw that someone was sending out fake free Steam games, but that it was actually a phishing scheme to steal your credentials. Is it a real threat?”

Yup, it is. [How to Protect Your Steam Account From Hackers: Cyber Experts Warn of ‘Free Game’ Account Hijacks] It seems that the latest trick of phishing scammers is to try to get you to sign in to your Steam account in order to steal your username and password when you enter it into the fake site they send you to. The bait for this phish? They’re offering a free game if you follow the link and log in.

Now, in addition to phishing scams, there are a lot of reasons to be wary of anything being offered for free. Let’s take a look at the major problems with free games, apps, and other services:

1 – It’s a scam or threat. Offering free stuff gets a lot of people to click on links in emails and on shady websites. That means this automatically becomes a favorite pastime for threat actors – offer some kind of free app or service and harvest all the information that people type into the fake page you set up. Remember that Microsoft, Apple, Amazon, and others will always send you to their main site to claim rewards and/or prizes – they don’t expect you to click on the link in an email these days.

2 – It’s a real app or service, but you don’t pay with money. Let’s face it, companies are in business to make money – and as an employee of a company that makes money by selling stuff I have no issue with that. Any product, app, service, or offer they make is with the end-goal of making money in mind. So, if they’re not taking your cash for whatever it is they’re offering, what are they taking instead? The short answer is: Your Information. Information about where you live, work, and play can be extremely valuable, and mobile applications can have access to location information. Data on what you interact with online is a gold mine for advertisers, and so tracking what you click on can result in a payday. Who you are – your age, race, sex, salary bracket, etc. – is also extremely valuable to advertisers; and free apps often ask for at least some of that info in order to sell it to the ad companies. Always remember that nothing is truly free; so if you’re not handing over actual currency, you’re paying for it with every click, swipe, and move you make instead.

3 – It looks free, but really isn’t. Again, companies are here to make money. However, some companies will offer a “free” application that is only a fraction of the full functionality you’d need to actually use the app. A great example is some of the worst variants of free-to-play games. Sure, you could theoretically spend 40 hours a week playing to get the good gear; but in all likelihood you’re going to buy in-game currency with real money in order to get what you want. Some take things further, locking critical and necessary features behind a subscription fee which makes the free app next to useless. Any time there are in-app purchases, you should be asking what you get before you have to pay. If that’s not the feature set or fun stuff you want and/or need; find another app instead – or buy the add-ons if you like the app and the company it comes from and want to support them.

In this case, we have a clear example of #1 – It’s a scam/threat. The thieves are offering a free Steam game, so long as you follow the link in the email (which you, of course, should never do). That link goes to a fake Steam site, where you are presented with the opportunity to log in to your Steam account. Once you do, the attacker has your username and password, and they’re off to the races trying to get as much information and free stuff for themselves (by buying themselves games and apps as gifts from your account) as they can; while you get no free game at all.

Protecting yourself is a matter of not clicking on the link in the phishing email or being lured by the offer of the free game on a website. Always remember that if there is something you can get for free on Steam; you can get it by going to the Steam website and logging in manually – or opening the Steam app on your desktop/laptop. Additionally, turn on SteamGuard – Steam’s 2-factor login system. It’s easy to use and stops this kind of scam dead in its tracks.

Remember, nothing is ever truly free. If you’re not paying cash, then either they want your account (in the worst case) or they want all your information (as a best case). If it’s a company you trust, then giving them your information in exchange for a free app or service might be acceptable; after all, we do that with Google all the time. If it is a company that normally charges money, or if you don’t know and trust that company; skip the free app and look elsewhere for services and entertainment.

*Mike Talon is a Cybersecurity Architect and Journalist in New York. He’s currently working as the Solution Architect for the Greater New York City Area for SKOUT CYBERSECURITY*