Steam phishing attempt warning! Read!

  • I have already posted this on the bastage forum but I rather do it here too to make sure a maximum people read it.

    I received a friend invite from a random person who later on sent me an email prompting to participate in a "spin the wheel" game where you are supposed to win a game. You are required to "link" your steam account, so you are directed to a steam login page that is a fake page. I repeat, it is not a steam login page, it is a phishing page meant to steal your steam account information.

    If you have received a similar message or have entered your steam credentials recently in a website you were provided through similar ways, CHANGE YOUR STEAM PASSWORD NOW! And any other accounts you have that use the same password.

    This is the message I was sent:
    alt text

  • what if I try to phish the Phisher ? xD and troll him

  • steam uses email to verify new devices right? keep different pass'es on stuff

  • @Doasis they might have have a bot that tries to log in with these credentials he phished, then bot logins to real server>real server sends code to the email>bot asks for it>boom account gone.
    @Marko same case but it is even easier, they do the same process until email but this time they ask code from phone and when you send it to them, they log in to real servers with your credentials and the authenticate code, boom gone

    EDIT: Not all phishers are that smart, but if they are then rip. Usually phishers are hungry and they even don't think about it. I don't have any experience, but I see it's possible when doing some work.

  • @Zei said in Steam phishing attempt warning! Read!:

    what if I try to phish the Phisher ? xD and troll him

    They are all mostly bots anw , i got like 10 invites so far from bot accounts with girls names and profiles pictures. They are programmed to type a greeting like "Hello" or "Hi" and once you respond to that they will immediately send the phishing link

  • @Xavier ikr, but would be epuc if its a real human xD

  • Thanks for this information, @Angelo

  • alt text

    To be honest, that's what happens if you add strangers on steam, never accept friend requests from people you don't know, or haven't played a game with.

  • @Angelo
    Pretty easier solution, add steam authentication on your phone and make sure your email password is not the same as the steams password and uh, make a pin code?

  • First of all, the accounts these phishing messages originate from are mostly all bots. Message them as much as you like, you won't get a reply apart from the same phishing message you received in the first place, probably a couple of hours later. Phishing a bot won't work!

    Steam 2FA that uses TOTP for mobile authentication won't save you. If you go to these websites and sign-in, they have integrated APIs so that you can log-in to steam through their website. After you've entered your OTP (One-time passcode) a selected bot simply has access to your account. From there, it can remove your phone number and E-Mail (steam allows users to change their E-Mail if they have steam guard on). At that point, all mechanisms used to recover your account do not exist.

    You can open a ticket with steam support if your account gets hacked, and they usually parse through the recent activity (change in E-Mails, phones and IP addresses) and generally you get your account back. At that point, damage has probably already been done. Getting friends to flag your account for review actually tremendously helps, especially if you have been friends with them for a lengthy period of time.

    Primarily, the bots hack accounts, and then message friends of that user's account with phishing messages too. Everyone gets caught up in trust and more people get hacked.

    Usually all these bots are affiliated with CS:GO gambling and all that poxy nonsense.

  • @Bidrift said in Steam phishing attempt warning! Read!:

    @Angelo
    Pretty easier solution, add steam authentication on your phone and make sure your email password is not the same as the steams password and uh, make a pin code?

    you still didn't understand, if they have bot, that is made with brain, it's almost impossible to know, unless you check the site address and the code requester country. let me explain how it happens.
    1.You put your credentials and press log-in button on the fake site
    2.Bot tries to log-in with these credentials to real STEAM site
    3.the 2 step triggers STEAM to send code, and the bot can detect if you are using phone or email verification
    4.Site displays verification process, that depends how your account is protected by phone or email like I said.
    5.Now you send your verification code to the site.
    6.Bot log-ins to your account.

  • @Hassanson said in Steam phishing attempt warning! Read!:

    @Bidrift said in Steam phishing attempt warning! Read!:

    @Angelo
    Pretty easier solution, add steam authentication on your phone and make sure your email password is not the same as the steams password and uh, make a pin code?

    you still didn't understand, if they have bot, that is made with brain, it's almost impossible to know, unless you check the site address and the code requester country. let me explain how it happens.
    1.You put your credentials and press log-in button on the fake site
    2.Bot tries to log-in with these credentials to real STEAM site
    3.the 2 step triggers STEAM to send code, and the bot can detect if you are using phone or email verification
    4.Site displays verification process, that depends how your account is protected by phone or email like I said.
    5.Now you send your verification code to the site.
    6.Bot log-ins to your account.

    And that's why a PIN code on everything does exist

  • No offense, but at the first point you must be stupid asf to even accept that 'friend request'. In this world, nothing is gifted for you. Old, yet gold advice.

  • @Bidrift if you didn't know, STEAM doesn't use PIN code verification process, only email or phone. when they get your email or phone verification code, say good bye to your account. of course you can have pin code on email, but STEAM phishers don't try to steal your email.....

  • There are people like me who accept friend invites from "random" people, people you might have played with, you can't remember all. There is nothing wrong with accepting friend invites, it won't get you hacked. I have actually accepted what appeared to be "random" invites and turned out to be SAES players or people I played with on other games. You can still get these sort of stuff from people you played with, nothing is guaranteed since you actually don't know the person.

    For all of you saying, Steam Guard and email verification, go ahead and enter your steam account on the website since you're so certain you're protected. There are ways around 2FA and email verification if the hacker knows what they're doing. But more simpler, some people use the same email/password or the same password across several plateforms so there is that too.

    This was just a friendly advice and maybe a reminder so that you pay attention to these sort of things in the future, take it or leave it, up to you.

    edit: also, while I'm not certain, it did not seem like a bot, he had a few games on his account. If it is, it's probably a hacked account or so. Doesn't change anything however, bot or not. I made my point.