My Steam Account was Phished

[Carpet_pissr]

Jesus.

So 2FA in Steam sounds like it’s useless.

It worked perfectly. It refused to let anyone into his account without access to his 2FA codes.

2FA is still subject to biological interface errors.

(That is, dumb user mistakes - 2FA anywhere is useless if you provide a scammer with your 2FA code.)

Ah, ok, I misread initially. So he put the 2FA code that Steam generated, into a third party site? Did the 3rd party site look like/was trying to appear to be Steam?

[Blackhawk]

Ah, ok, I misread initially. So he put the 2FA code that Steam generated, into a third party site? Did the 3rd party site look like/was trying to appear to be Steam?

I didn't see any of it, but yeah, that was the impression that I got. "Three months of free Discord Nitro from Steam! Follow the link!"

His view: Follows the link. Looks like Steam. Asks for username/password. He provides it. Asks for his 2FA code. He checks his email, it's there as it normally would be when logging into Steam. He provides it. Twenty seconds later his account belongs to someone else.

The bot's view: Someone just provided username/password. Use these to attempt to log in to Steam. Steam requests a 2FA code, as you just attempted to log in, which you don't have. Knowing the user will receive the code normally, you wait. The user enters the code into what he thinks is Steam. You immediately use the code to confirm the real log-in and change the credentials. ? Profit.

[Blackhawk]

FWIW, the very first thing I did was go into my Steam friends list, find his profile, and report him. There is an option under Report Player/Involved in Scamming/Account Appears to Have Been Compromised. Then I did exactly the same thing with my other son's account (that is I used my other son's account to make a second report on him being compromised.) The idea was the trigger Steam's security to cause his account to be locked down as suspicious, and it seems to have worked.

He didn't have any valuable inventory (like CS skins) or more than a few cents in Steam credit, which is what these things are usually looking for. Once they have stripped those off of an account, or if the account doesn't have them, they use the account to contact all of the people on the friends list to try and get them to fall for it as well (that is the kind of thing that this thread has mostly been about - messages coming from compromised accounts.)

[Rumpy]

From the sounds of it, it was a scammer pretending to be a Fanatical page? Then the part where Steam usually asks for the login credentials isn't really Steam at all, but a front for collecting login credentials. Glad he was able to get the account back, but this is why I remain skeptical about 3rd-party sites like Fanatical.

A good practice to have in general is to never save credit card information.

[Blackhawk]

Also note: There is a common means of logging in to third-party sites via Steam that is legitimate, official, and supported by Steam. An example would be Steam Completionist.
If you click the log in button, it will take you to the real Steam site to log in, then Steam will provide a limited (and safe) level of access to certain elements of your profile (Steam Completionist is a very useful data sorter if you have a big collection.) However, it is still up to you to make sure that you're looking at the real Steam site and not some other site masquerading as Steam.

However, there is a zero-risk alternative:

Simply go to the real Steam site - type it in normally, or use your own shortcut, and log in normally. Now if you click the 'Log in Through Steam' button on the third party site, it will just take you to a page confirming that you want to do so. If you are already logged in to Steam on that browser, it will not ask for your username/password.

[Blackhawk]

From the sounds of it, it was a scammer pretending to be a Fanatical page? Then the part where Steam usually asks for the login credentials isn't really Steam at all, but a front for collecting login credentials. Glad he was able to get the account back, but this is why I remain skeptical about 3rd-party sites like Fanatical.

Heh, I was addressing just this as you were typing. It's completely safe to do that (with the qualifiers in my last post) as it doesn't give the site access to any of your data that isn't already public. It just links the accounts so that Steam will know which (say, Fanatical) account is yours and the other site will know which Steam account is yours. It's handy for the right sites. For example, I link my Steam account to Is There Any Deal, and it watches for any deals at any stores on my wishlist, plus warns me if any game I check on is already in my Steam account - but again, all it is getting is my wishlist and games list which are already public (via the Steam privacy settings.) It doesn't have access to any of my Steam account data.

In other words, they get exactly what you have if I link my Steam profile here. Nothing more. It just creates a more stable link between the two than a URL that I might change (some people change their vanity profile - and thus the URL - from time to time.)

[Rumpy]

Yeah, I knew that. And it seems the scammer was trying to mimic that? That's what I'm trying to understand.

[Blackhawk]

Yeah, I knew that. And it seems the scammer was trying to mimic that? That's what I'm trying to understand.

Again, I didn't see it myself. From what he told me, every indication was that when he followed the link, he was logging in directly on the Steam page. Part of the problem is that the *!&$#! Discord app (for android) uses its own browser, and you can't see the entire URL. I'm still trying to figure out how to get that changed.

[Rumpy]

Ahh, another knock on Discord. Personally not a fan of it myself, and I could see how a scammer would use link obfuscation to their advantage. In other words, they likely want the user to do this via Discord for that very reason. Seems that given Discord's heavy focus on gaming, that they should have precautions against phishing.

[Blackhawk]

Discord isn't great. But Discord is popular, which is why Discord is dominant, and why you pretty much need to use Discord if you're going to communicate with people, including any number of online groups, support groups for various games and tech, etc, etc, etc.

At least on the PC client you can tell it to use your system default browser instead of the Discord browser.

[Blackhawk]

Getting suspicious messages from Debris.

[Skinypupy]

Getting suspicious messages from Debris.

Same. Exact same message that came from Stuie when he got hacked.

[dbt1949]

Oddly, just this second I got a message from him too.

[coopasonic]

I'm hurt. I didn't get one!

[Daehawk]

Same. I posted it in my thread in the OO area too. I instantly replied that I knew he was a scammer that had Debris ' account because its the same "Hey man u busy" they always use. Told him scammers need better notes then blocked him.

[Lassr]

me too.

[Blackhawk]

He hasn't been here in four years, but I sent FYI messages to both his email and PM, just in case he can still get those. If anyone knows him outside of OO, you might want to let him know.

Strong recommendation:

Go to his profile page, then to the down arrow/drop-down in the upper right corner next to 'message.'

Report Player
Involved in scam/etc
Account has been compromised

If he gets a few of these, it'll block the hijackers from using the account until it gets sorted.

[Blackhawk]

Same. I posted it in my thread in the OO area too. I instantly replied that I knew he was a scammer that had Debris ' account because its the same "Hey man u busy" they always use. Told him scammers need better notes then blocked him.

Don't tell the bad guys how to win!

[Teggy]

Oh, haha, I figured this was going on again. I got a PM from Debris with the following, so I guess the bot has limitations about how it responds:

[4:18 PM]
Debris:
heyare u busy rn?

[4:18 PM]
Teggy:
did you get hacked?

[4:19 PM]
Debris:
lol why?

[4:20 PM]
Teggy:
because last time I got a message out of the blue it was a bot that had hacked someone

[Aliasbuck]

I got this too. Initially I was going to do it, but considering Debris has never ever DM'ed me on Steam, that was the first red flag. So I've asked him where we met. I'm not expecting an answer.

[Skinypupy]

He hasn't been here in four years, but I sent FYI messages to both his email and PM, just in case he can still get those. If anyone knows him outside of OO, you might want to let him know.

Strong recommendation:

Go to his profile page, then to the down arrow/drop-down in the upper right corner next to 'message.'

Report Player
Involved in scam/etc
Account has been compromised

If he gets a few of these, it'll block the hijackers from using the account until it gets sorted.

Done, thanks for the heads-up.

[dbt1949]

Just got another one.

[LordMortis]

Aw nobody every tries to phish me. I feel so unloved.

I do get occasional emails from FB informing that someone is trying to log in to my locked account.

[Daehawk]

I get that too. Got one today actually.

[Smoove_B]

I'm hurt. I didn't get one!

Do you set your status to Away or just leave it at "online" all the time? No idea if that increases chances or affects any of this at all, but that's my guess.

[Rumpy]

I've personally set mine to private.

[Birdman042]

Just be on the lookout. Kasey Chang is the latest victim. I sent him a PM with the info. This is a copy of the chat

[3:05 PM]
kschang77:
heyhow u doing?

[3:11 PM]
kschang77:
?

[3:59 PM]
meusferus:
Sorry didn't see this earlier. Was working.
Doing well.

[4:01 PM]
kschang77:
can you vоte for the tеam of my friends in the csgo tоurnament?

[4:02 PM]
meusferus:
What is the team name?
and where do I vote

[4:05 PM]
kschang77:
https://unicybersport.com
here u can vote
in the voting section team "SPROUT"

[4:16 PM]
kschang77:
?
do it now pl

[4:18 PM]
meusferus:
Not falling for the scam.
Fraudulant CS GO Tournament Voting Site :: Steam Discussions
https://steamcommunity.com/discussions/ ... 889974412/

[Carpet_pissr]

If, in theory, someone were to not CLICK the link being offered, but to copy and paste it into a browser, say, just to see if it was legit...ummm, would that bad? Asking for a friend...

[Birdman042]

Copy/paste link is fine. (I loaded up Brave Browser in Private mode to check out the link) On the website, when you click on the vote button, it tells you that you need to log in with your steam account to prevent bots from voting. It then opens up a separate pop-up window that looks really close to the actual "log in to website with your steam account" screen. If you were to enter that info into the pop-up, the "hacker" (I use that term very loosely) gets your steam login info.

[Carpet_pissr]

Copy/paste link is fine. (I loaded up Brave Browser in Private mode to check out the link) On the website, when you click on the vote button, it tells you that you need to log in with your steam account to prevent bots from voting. It then opens up a separate pop-up window that looks really close to the actual "log in to website with your steam account" screen. If you were to enter that info into the pop-up, the "hacker" (I use that term very loosely) gets your steam login info.

I didn't even get that far. As I pasted and "went" to see if legit (how stupid was just doing that!?!?), "he" texted me again and said "Do it now, please". At which point I promptly closed everything, including the chat window. The funny thing is that it wasn't bc that tipped me off that it wasn't him...I still assumed it was him, but DAMN how rude is that?!

Fuck you, Doppelganger Kasey Chang, get some manners!

[dbt1949]

I don't do chat so if any of you guys text me to chat chances are I'll ignore you. Just fair warning.

[Grifman]

Yep, I got the same suspicious chat messages from Kasey also today. Figured it was the same scam as earlier, came here to check. I responded just to see what they were going to say but it was a couple of hours after the message was sent to me and I never got a message back.

[TheMix]

Looks like scoop20906 is the latest victim. FYI.

[Daehawk]

blocked and reported.

[Blackhawk]

Do not block him. He doesn't deserve to be punished. Report him instead. I just gave the whole process in the Meta thread.

[JetFred]

Yep, I just got messages from three of you in a row (so far) for this. I did not login to the e-sports site with my Steam account but I changed my account password anyway.

[Blackhawk]

The (hopefully) official thread for future reports.

[$iljanus]

The (hopefully) official thread for future reports.

Locking this thread because all Steam hack reports can now be reported on a stickied thread in Meta which has all sorts of good advice as well.