In the past, as soon as you gave a scammer your password, it was extremely obvious you were hacked - you got kicked out of your Steam account and the scammer quickly changed the password to keep you out while he traded all your items away. For a while, Steam Support would restore your items by "duplicating" them (related: Is someone accusing you of having "duped" items?) so innocent and unknowing recipients of your items wouldn't have items taken away unfairly, but they've since taken a firm stance that they will never restore any items stolen, no matter how it happened.
Today, scammers are very crafty about it, and the scripts they use are designed to be discrete. You probably won't notice until much later, and many traders wrongly believe that the Steam Guard Mobile Authenticator makes their account hacker-proof, or even worse that it protects them from scams altogether. Account hijackers today combine finely honed methods and scripts to steal accounts and items in much more elaborate ways, effectively bypassing Steam Guard protections, in ways that leave victims as confused as they are alienated by their peers. Due to the culture of victim blaming in CS:GO, one of the largest targets of Steam account hijacking, many victims do not publicly admit getting scammed out of fear of retribution from a community who blames them personally for harmful changes Valve makes to the economy, and those who do tend to be disregarded as "stupid" for getting scammed in a system that allegedly protects all but the biggest of idiots.
This is the first mistake nearly all victims make. Anybody can get hijacked. It's not just idiots or beginners who fall for this scam, plenty of high-tier experienced traders and streamers have had their accounts stolen. This article will talk about how the scam works today.
How do the fraudsters distribute links to their fake sites? And how do people fall for them?
Right now, large trading websites such as BitSkins, CSMoney, Marketplace.tf, etc are having their site replicated (almost identically) by fraudsters, then hosted on an extremely similar URL. Brand new startup betting or trading sites are used for stealing accounts and items as well. Among the tricks, scammers:
- Change a single letter in the domain to something similar (example bLtskins.com vs bitskins.com).
- Use international unicode characters designed to look just like the real ones, especially if underlined like links usually are (example opskịns.com vs opskins.com).
- Create a similar-looking domain - such as csmoney.trade in place of cs.money.
- Fake modal window that looks like a real Steam login popup.
- Sometimes the fraudster even purchases a Google Ad for their phishing site, or engages in SEO poisoning to ensure their fake site appears near or even above the real one in Google searches.
- Contrary to popular belief, most malicious sites load in HTTPS, giving a false impression they're secure or trusted.
How does the fraudster actually access the account? I have mobile authenticator enabled?!
You may attempt to log into one of these fake sites, under the impression that you're visiting the real deal. There's no shame in admitting that, plenty of smart people have fallen for it.
There are a number of tricks scammers have used to make fake-looking Steam login pages, but one of the more recent is a rather convincing fake popup.
If you enter your username and password, they won't be passed directly to Steam. Instead, they'll be sent to a remote server or computer, where the scammer will automatically try and log themselves in with the information you entered.
If you provide incorrect information, the server will pass that back to you, showing you Steam's invalid details error message, just like you'd expect from the real Steam login page.
If you provide the correct information - which the phishing site can tell by trying your password - the server will then ask for your mobile authenticator code in a realistic-looking second dialog asking for your code. If you enter your code (please don't), the server uses it to fully log in to your Steam account.
NOTE: These scammers won't be able to directly confirm trades as they don't have access to your mobile authenticator, but as we'll see, they can effectively work around it.
What happens once the scammer has access to your account?
Once the fraudster has access to a Steam account, they generate a Steam API key for the Steam account. They no longer need to be logged into your Steam account at this point, but they may still remain logged in as a fallback option. Scammers count on victims not knowing what an API key is, much less that Steam has them or the level of control over your account such keys provide.
Using your API key, among other things, the scammer can accept (but not confirm), decline, and cancel trade offers automatically, and they can continue doing this forever.
Important - how users ultimately lose their items to the scammer
The scammers' entire system is completely automated. Once the fraudsters have access to your account, they're able to see all of your incoming and outgoing trade offers.
Let's use BitSkins as an example here to explain what they can do once your account is compromised.
- Let's say the Victim here, Steve wants to deposit his Karambit Fade FN into BitSkins to sell.
- Steve isn't aware that his account is compromised and requests a trade offer from BitSkins for his knife.
- A real BitSkins bot sends Steve a trade offer for his knife.
- The fraudsters see the incoming offer on Steve's account and decline it.
- Before Steve can pull up the trade in their mobile app, the scammer redirects the offer:
- The scammer quickly copies the name and avatar of the bot from another account the scammer owns.
- Once the other bot's profile has been copied, the scammer declines the trade and sends you an identical trade offer from the fake bot.
- The trade then looks completely identical and indistinguishable by the time you load the mobile app trade confirmation.
- Steve accepts the trade, confirms this on his mobile authenticator and his item now belongs to the scammer on the fake bot account.
It's important to understand that no matter which fake site you logged into, the scammers will redirect any one-sided trade, no matter which website's bots you're trading with. And as a reminder, Steam Support will not help you regain your items. Once you've fallen for this, your items are lost forever.
How can I secure my account after logging into one of these fake sites?
You can see past logins on your Steam account here. If you see a location you don't recognize, you should assume you're hacked, but this may not conclusively rule it out. If you see trade offers inexplicably getting redirected, that is a sure sign you're compromised. So what to do?
- Change your password.
- If you use the same username/password on any other sites, change those too. Professional scammers know people re-use passwords and will not stop at just your Steam account. They've been known to leverage a single account to steal victims' entire online lives and then scam their families - Facebook, GMail, university IDs, Twitter, other gaming platforms, and more.
- Especially change your email password, as the scammer may use that to recover your Steam account from you through a password reset.
- Deauthorize all devices signed into Steam here. This will log you out everywhere you (or the scammer) have signed in, which prevents the scammer recovering from #3:
- Go to https://steamcommunity.com/dev/apikey and choose 'Revoke My Steam Web API Key' for any keys listed. If you don't know what an API key is, you don't need it. If (and only if) you do use one, you should consider it compromised and generate a new one.
- If you still see trades getting redirected after following the above steps, contact Steam Support. Consider scanning for malware, and removing any browser extensions you have installed.