Accepted 76561198050747310 ( Gitler )

›Segata_Sanshiro · Sep 13, 2012

Victim:
steamID: › Segata_Sanshiro|Backpack.tf
steamID32: STEAM_0:1:18164691
steamID64: http://steamcommunity.com/profiles/76561197996595111
customURL: http://steamcommunity.com/id/Segata_Sanshiro
steamrepURL: http://steamrep.com/profiles/76561197996595111

Scammer:
steamID: Gitler
steamID32: STEAM_0:0:45240791
steamID64: http://steamcommunity.com/profiles/76561198050747310
customURL: http://steamcommunity.com/id/stalinkaput
steamrepURL: http://steamrep.com/profiles/76561198050747310

Screenshots:
- Pictures of chat (required) <attached. includes the file in the bottom left of my browser>

Description: This person added me on steam after I posted I was selling a Vintage Lugermorph on outpost and tf2tp. He added me and linked me a very strange URL with the word download in it, telling me to click it and look at it cus its a screenshot of 3 seperate offers on a different account or something like that. I have been scammed many times in my youth and took classes on Social Engineering and stuff so I immediatly assumed he wanted to put a trojan on my computer to steal my steam account information or something like that.... I reluctantly clicked the link and immediately it downloaded a file called item_list.exe with a little blue icon i have never seen. I obviously did not open the file but I could only assume if I did open it, my computer would immediately BSOD... heh. He claimed to be a 13 year old when I said he was probably a social engineer.... THEY ALL DO!
Anyway... I might have over reacted on him but i don't take kindly to cyber criminals of that line of work.

Never tell your password to anyone.
› Segata_Sanshiro|Backpack.tf: hey there
Gitler: hello watch my 3 offers
Gitler: http://ge.tt/api/1/files/1zBSqfN/0/blob?download
Gitler: i pictured
› Segata_Sanshiro|Backpack.tf: ?
Gitler: forluger
› Segata_Sanshiro|Backpack.tf: i can't click that buddy i dont know what that is
› Segata_Sanshiro|Backpack.tf: your offering on my lugermorph?
› Segata_Sanshiro|Backpack.tf: i want 8 keys
Gitler: that is my screenshots from a nother my accounts
Gitler: i will opevpay in hats
Gitler: alot
Gitler: i want it
Gitler: realy mutch
Gitler: please
› Segata_Sanshiro|Backpack.tf: wow ... f✿✿✿ that s✿✿✿ nigga
› Segata_Sanshiro|Backpack.tf: i aint gunna run an exe
Gitler: hmmm
Gitler: ?
› Segata_Sanshiro|Backpack.tf: That's how you get epic viruses and trojans
Gitler: hmmm
› Segata_Sanshiro|Backpack.tf: you could be a social engineer trying to take information from my computer
Gitler: idiot what viruses
Gitler: ahahahah how can i do that
› Segata_Sanshiro|Backpack.tf: rofl. you're an idiot cus you dont know what viruses are?
Gitler: im 13 years old
Gitler:
› Segata_Sanshiro|Backpack.tf: you could be a script kiddy
› Segata_Sanshiro|Backpack.tf: im going to report you just to be safe
Gitler: ok i dont know what youre talking about bb mate
› Segata_Sanshiro|Backpack.tf: link me a url
› Segata_Sanshiro|Backpack.tf: not a file to download
› Segata_Sanshiro|Backpack.tf: DERP
› Segata_Sanshiro|Backpack.tf: i'll look at ur offer if you give me an offer
› Segata_Sanshiro|Backpack.tf: rather than a virus
› Segata_Sanshiro|Backpack.tf: give me a URL
› Segata_Sanshiro|Backpack.tf: rather than a file to download and open
› Segata_Sanshiro|Backpack.tf: so you're done talking to me?
Click to expand...

He has yet to remove me from his friends list at this point and time.

Casty · Sep 14, 2012

Victim:
steamID: [CST] Casty
steamID32: STEAM_0:0:38473841
steamID64: http://steamcommunity.com/profiles/76561198037213410
customURL: http://steamcommunity.com/id/blazemastery
steamrepURL: http://steamrep.com/profiles/76561198037213410

Scammer:
steamID: Gitler
steamID32: STEAM_0:0:45240791
steamID64: http://steamcommunity.com/profiles/76561198050747310
customURL: http://steamcommunity.com/id/stalinkaput
steamrepURL: http://steamrep.com/profiles/76561198050747310

Description:
Put up a trade of a Stormy Drills, this guy adds me. I check his inventory before adding him, and find he's f2p with 75 hours logged into tf2.
After adding him, he posts a similar link to a suspected virus. (I later run it in a sandbox environment and confirm it's a trojan injector written
2 weeks ago on 29 August in MSIL) He tries to perform social engineering as the person above said, this time he claims he's 14. Guess this concludes that.

[CST] Casty: Yes?
Gitler: i want to buy
[CST] Casty: buy what?
Gitler: drill
[CST] Casty: right
[CST] Casty: how much can you offer?
Gitler: i have 3 offers
Gitler: watch
Gitler: http://ge.tt/api/1/files/9W1MljN/0/blob?download
Gitler: i operpay
[CST] Casty: that seems like a file to hijack my computer and steal my password
Gitler: check it
Gitler: with antiviru
Gitler: s
[CST] Casty: find
[CST] Casty: hold on a bit
Gitler: mate D i am 14 years old
Gitler:
Gitler: ok
[CST] Casty: I'm 15.
Gitler:
[CST] Casty: doesn't change anything.
[CST] Casty: wait a while, finding an antivirus.
Gitler: ok
[CST] Casty: Google Chrome could not load the webpage because w460927.blob3.ge.tt took too long to respond. The website may be down, or you may be experiencing issues with your Internet connection.
Here are some suggestions:
Reload this webpage later.
Check your Internet connection. Restart any router, modem, or other network devices you may be using.
Add Google Chrome as a permitted program in your firewall's or antivirus software's settings. If it is already a permitted program, try deleting it from the list of permitted programs and adding it again.
If you use a proxy server, check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don't believe you should be using a proxy server, adjust your proxy settings: Go to the wrench menu > Settings > Show advanced settings... > Change proxy settings... > LAN Settings and deselect the "Use a proxy server for your LAN" checkbox.
Error 118 (net::ERR_CONNECTION_TIMED_OUT): The operation timed out.
[CST] Casty: your site's down
[CST] Casty: just tell me your offer
Gitler: you have a low internet
[CST] Casty: i'm running at 2mbps.
[CST] Casty: tell me your offer.
[CST] Casty: still waiting
Click to expand...

He has yet to respond, but he's currently still on my friends' list.
The injector can be found here: (I reuploaded it)
http://www.MALWARE-SUSPECTED-mediafire-.com/?ktt3yrilba9nz86
And here is a virustotal scan showing proof of its illegitimacy:
https://www.virustotal.com/file/443...311a11d5ceb3c318c6c3bcaa/analysis/1347644590/

Bacon · Sep 22, 2012

Thank you for your report. A steamrep admin will look at this shortly.

CanadianInvasion · Sep 23, 2012

Tagged. Thanks for the report.

Log in or Sign up

Accepted 76561198050747310 ( Gitler )

›Segata_Sanshiro New User

Attached Files:

item_list file.jpg

Casty New User

Attached Files:

scammer.png

Bacon Retired Staff Partner Community

CanadianInvasion Retired Staff

Log in or Sign up

Accepted 76561198050747310 ( Gitler )

›Segata_Sanshiro New User

Attached Files:

item_list file.jpg

Casty New User

Attached Files:

scammer.png

Bacon Retired Staff Partner Community

CanadianInvasion Retired Staff

Useful Searches