1. There is no such thing as a "pending" ban or Steam admin. Anyone threatening your account is a scammer trying to scare you. Read more.

New Scam Technique

Discussion in 'SteamRep General Discussion' started by MrTrollTheMadGamer, Jun 30, 2019.

  1. MrTrollTheMadGamer

    MrTrollTheMadGamer New User

    Messages:
    3
    Steam:
    STEAM_0:1:67798580
    On occasion i'll accept random steam friend requests from obvious scam accounts, see what they say and do etc. Today I added one and got to digging. I've discovered a really clever scam, the website for the scam is
    Hidden Content:
    **Hidden Content: Content of this hidden block can only be seen by members of (usergroups: Administrative, Moderating).**
    The guy seems to own several steam accounts that look just like this
    Hidden Content:
    **Hidden Content: Content of this hidden block can only be seen by members of (usergroups: Administrative, Moderating).**
    If you search this steam accounts name it shows something like 38 of these accounts. They all look pretty much the same with the same account info etc. Thats dime a dozen, plenty of scams work like that. The interesting part is the background, I got the guy to click an ip grabber and I got two ips from what I later found to be 2 virtual machines or servers hes using. I also later got him to screenshot his desktop on both. https://i.imgur.com/71g9YdH.png, https://i.imgur.com/15Q91g7.png. The ip's I grabbed line up with the windows versions visible in the screen shots, same with the time zones of the screen shots. From running phone number on the URL lookup I did through google I found scam site after scam site linked to it. All of them Russian things like, jewellery financing, survey websites. All using the same web-server for emails, "reg.ru", from looking into reg.ru and other information it seems that its the domain registrar for Russia. Now from chatting with the guy it seemed like he was willing to give up information if a signed in and there was no way in hell I was going to since the sign in with my main account. So I generated an account and tired logging in. The button on the website links to this page
    Hidden Content:
    **Hidden Content: Content of this hidden block can only be seen by members of (usergroups: Administrative, Moderating).**
    What looks to be a front end of his scam. From what i've gathered my theory is this; the fake sign in grabs your account name and password, it then asks for your steam guard code regardless of weather you have one since I tried logging in with a generated account. Now If you have it enabled it takes that code and quickly signs in and the guy either steals the account or trades out the items I dunno. All and all the scam is really convincing, i'd love to see what happens if you actually use an account with steam guard enabled. But i'm not risking my account and I don't have dummy account to sacrifice.

    Now for the odd stuff that didn't fit the main story in the screenshots it shows the tf2 logo over the HTTPS lock that chrome has no website I've seen does that. From close inspection the image doesn't look tampered with and the time works out to around when he sent it. The fact it clearly shows a what I assume to be legit trading site in the window but the different url, the fact he sent me another website thats identical with a different login window
    Hidden Content:
    **Hidden Content: Content of this hidden block can only be seen by members of (usergroups: Administrative, Moderating).**
    the fact this site's domain is 5 days old. The list goes on, if this guy actually crafted this whole thing he seems like a decently smart guy. Another thing to note is he said this https://imgur.com/a/uTrXE3B. He could of been taking the piss but I dunno.

    I don't know how the forums work and if they are active but i'd love to see what you guy's take on this is, maybe some more knowledgeable people know how this all works. I'm just genuinely interested.
    Last edited by a moderator: Jun 30, 2019
  2. ЩĄ | Horse

    ЩĄ | Horse Administrator SteamRep Admin Partner Community

    Messages:
    64,602
    SteamRep Admin:
    STEAM_0:1:34690691
    Not new at all. This is a common Phishing tactic being used and has been used for a good while now.
    While we do not take phishing reports due to policy, we highly recommend people pay close attention to avoid sites like this completely and to be aware of where you click, what you click at any time.

    In the meantime to avoid anyone clicking on those links I've hidden them for safety.
    Please avoid posting such links anywhere.