Jump to content

Steam phishing attempt warning! Read!


Angelo

Recommended Posts

I have already posted this on the bastage forum but I rather do it here too to make sure a maximum people read it.


I received a friend invite from a random person who later on sent me an email prompting to participate in a "spin the wheel" game where you are supposed to win a game. You are required to "link" your steam account, so you are directed to a steam login page that is a fake page. I repeat, it is not a steam login page, it is a phishing page meant to steal your steam account information.


If you have received a similar message or have entered your steam credentials recently in a website you were provided through similar ways, CHANGE YOUR STEAM PASSWORD NOW! And any other accounts you have that use the same password.


This is the message I was sent:
alt text


Link to comment
Share on other sites

@Doasis they might have have a bot that tries to log in with these credentials he phished, then bot logins to real server>real server sends code to the email>bot asks for it>boom account gone.
@Marko same case but it is even easier, they do the same process until email but this time they ask code from phone and when you send it to them, they log in to real servers with your credentials and the authenticate code, boom gone


EDIT: Not all phishers are that smart, but if they are then rip. Usually phishers are hungry and they even don't think about it. I don't have any experience, but I see it's possible when doing some work.


Link to comment
Share on other sites

First of all, the accounts these phishing messages originate from are mostly all bots. Message them as much as you like, you won't get a reply apart from the same phishing message you received in the first place, probably a couple of hours later. Phishing a bot won't work!


Steam 2FA that uses TOTP for mobile authentication won't save you. If you go to these websites and sign-in, they have integrated APIs so that you can log-in to steam through their website. After you've entered your OTP (One-time passcode) a selected bot simply has access to your account. From there, it can remove your phone number and E-Mail (steam allows users to change their E-Mail if they have steam guard on). At that point, all mechanisms used to recover your account do not exist.


You can open a ticket with steam support if your account gets hacked, and they usually parse through the recent activity (change in E-Mails, phones and IP addresses) and generally you get your account back. At that point, damage has probably already been done. Getting friends to flag your account for review actually tremendously helps, especially if you have been friends with them for a lengthy period of time.


Primarily, the bots hack accounts, and then message friends of that user's account with phishing messages too. Everyone gets caught up in trust and more people get hacked.


Usually all these bots are affiliated with CS:GO gambling and all that poxy nonsense.


Link to comment
Share on other sites

@Bidrift said in Steam phishing attempt warning! Read!:



@Angelo
Pretty easier solution, add steam authentication on your phone and make sure your email password is not the same as the steams password and uh, make a pin code?



you still didn't understand, if they have bot, that is made with brain, it's almost impossible to know, unless you check the site address and the code requester country. let me explain how it happens.
1.You put your credentials and press log-in button on the fake site
2.Bot tries to log-in with these credentials to real STEAM site
3.the 2 step triggers STEAM to send code, and the bot can detect if you are using phone or email verification
4.Site displays verification process, that depends how your account is protected by phone or email like I said.
5.Now you send your verification code to the site.
6.Bot log-ins to your account.


Link to comment
Share on other sites

@Hassanson said in Steam phishing attempt warning! Read!:



@Bidrift said in Steam phishing attempt warning! Read!:



@Angelo
Pretty easier solution, add steam authentication on your phone and make sure your email password is not the same as the steams password and uh, make a pin code?



you still didn't understand, if they have bot, that is made with brain, it's almost impossible to know, unless you check the site address and the code requester country. let me explain how it happens.
1.You put your credentials and press log-in button on the fake site
2.Bot tries to log-in with these credentials to real STEAM site
3.the 2 step triggers STEAM to send code, and the bot can detect if you are using phone or email verification
4.Site displays verification process, that depends how your account is protected by phone or email like I said.
5.Now you send your verification code to the site.
6.Bot log-ins to your account.



And that's why a PIN code on everything does exist


Link to comment
Share on other sites

@Bidrift if you didn't know, STEAM doesn't use PIN code verification process, only email or phone. when they get your email or phone verification code, say good bye to your account. of course you can have pin code on email, but STEAM phishers don't try to steal your email.....


Link to comment
Share on other sites

There are people like me who accept friend invites from "random" people, people you might have played with, you can't remember all. There is nothing wrong with accepting friend invites, it won't get you hacked. I have actually accepted what appeared to be "random" invites and turned out to be SAES players or people I played with on other games. You can still get these sort of stuff from people you played with, nothing is guaranteed since you actually don't know the person.


For all of you saying, Steam Guard and email verification, go ahead and enter your steam account on the website since you're so certain you're protected. There are ways around 2FA and email verification if the hacker knows what they're doing. But more simpler, some people use the same email/password or the same password across several plateforms so there is that too.


This was just a friendly advice and maybe a reminder so that you pay attention to these sort of things in the future, take it or leave it, up to you.


edit: also, while I'm not certain, it did not seem like a bot, he had a few games on his account. If it is, it's probably a hacked account or so. Doesn't change anything however, bot or not. I made my point.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...