1. There is no such thing as a "pending" ban or Steam admin. Anyone threatening your account is a scammer trying to scare you. Read more.

What to do when phishing was attempted on you.

Discussion in 'SteamRep Guides' started by DataStorm, Feb 17, 2013.

  1. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    People get every day attempts to phish them on steam accounts. This guide is about what you can do to end it as quickly as possible.

    In my opinion, attention and understanding what you see is key to fight them the best.

    First of all, what is a phishing site?
    A Phishing site is a site that is attempting to get any information about your account, in order for them to be able to access it, for whatever reason they have. Those reasons can be: selling of your account, selling of items in your backpack, and, unfortunately, also to cheat/hack in games so the account gets VAC banned for those games.

    An example phishing site (Screenshot image)

    They are basically looking for several things:
    • Steam account login name
    • Steam account login password
    • SteamGuard Code to activate their local Steam installation for your account.
    • Your email address
    • Your email password
    • Any additional info they might need to access the Steam account / email account or anything.
    In general, you will see that they mimic the original site as much as possible, without adding much more fields, but I have seen them as above linked, but also with all 4 asked, or just 3 of them.

    I also lately have seen that they link you to a "account", telling you that the guy cannot add you for some reason, and wants you to add it. It when you click it, it opens in a browser instead of in steam (ALARM there, for a real Steam site will open in Steam). It will then mimic behavior to let you log in, and ask you for a SteamGuard code (meanwhile, a bot will login into steam with your login name and password, triggering the mail for SteamGuard). When you receive the mail, you fill that in, and the Phisher has a logged in Steam account, that is fully authorized.... At this stage you are phished.

    If they also target the email address, for then they can easily find the login name in old emails, and do a password recovery (if the password isn't the same as the emails password). Unfortunately, it puts any other account linked to that email also at risk. Think of PayPal, Community forum accounts, facebook, and whatever accounts you have around linked to that account. On regards of email security, please read this guide.

    The techniques to get the phishing link under attention vary, examples are "get free game(s)" or "Look what they wrote about you here", "My friend can't add you, please add him"

    So, what can you actually DO when you get a phishing attempt?
    1. First stating the obvious: Do not fill in your information..
      1. While there are legit sites out there, they don't need you to log into them with Steam's login credentials. Either they need their own accounts, or will use the Steam OpenID Provider (see below).
      2. Explanation: As you know, there is the steam verification (which is in use by this very site as well), but that doesn't involve in you typing your steam account credentials on SteamRep's site, but a login to steampowered.com, which gives back to SR: This person has really access to this Account, this is his ID64. Thats it, nothing else is given by Valve, just a verification that the person connecting to the website is the owner of a specific steam account. That way, SteamRep can know that the forum account is really belonging to a certain steam account. In no way does this give us or any other party access to the real account information. All Steam does is passing on a ID64. Read more here: Steam OpenID Provider (2/3rd down the page)
    2. Do NOT close the chat.
      1. You want to make a screenshot of it later, once you are done talking with the guy/bot.
    3. Verifythat its actually phishing.
      1. Unfortunately, every now and then somebody claims it is phishing when it is not. So a verification is in order. Options are:
      2. If you're knowledgeable enough, check it out yourself and VISIT the site. People will then say "Eh? how?". Well, use a browser WITHOUT JAVA (uninstall it, all versions of it, see here), but with browser features like Firefox's NoScript, it is pretty secure to visit the website and see what it is. Do not assume right away its phishing. Check for things out of order, like asking for email address instead of login name, email password instead of "password" etc. Also, on top in the browsers URL bar, you won't see a "lock" (see
      3. If you don't know, or don't want to check it yourself, contact a admin, and give him the screenshot, do NOT give him the link directly, for then you are going to get in problems. Give the admin the screenshot after a explanation.
      4. Report it (see below)
    4. Unfortunately, at this current time, SteamRep does not handle reports for phishers.
    5. Report it to steam backend:
      1. Click the name of the offender or his avatar in steam chat
      2. Steam browser will open to his profile page
      3. On top right you will see the "More" button, fold it open and select "Report violation".
      4. Tick the box for "Suspected Hijacker or Phishing"
      5. Tell what happened in the box below.
      6. Include link to screenshot of chat, or copy the chat into there...
      7. Submit report.
    6. By now, we do not recommend anymore to report it to Steam support. Please do the above steam backend reporting to let the automation do its work.
    7. Report it to browser protect reportpages:
      1. Google Chrome & Mozilla Firefox & Apple Safari: http://www.google.com/safebrowsing/report_phish/
      2. Microsoft Internet Explorer:
        1. See: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
        2. Quote from their site: While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the site.
      3. Opera: I tried to find a report link or method for Opera, but all I find at a quick glance is explanations on how they "protect" but no way to bring something under attention to those protection(s) and which is used there.
    8. Report it to Anti-Virus/Anti-malware software vendors.
      1. ESET NOD32: http://phishing.eset.com/report
      2. Symantec: https://submit.symantec.com/antifraud/phish.cgi
      3. There many more, but I normally report to ESET & Symantec. A bunch of Anti-Virus vendors don't have a anti-phishing solution themselves. Examples are Avast (afaik, Googled it on them, but nothing solid comes up)
    9. Report it to the hosterof the site.
      1. This is a bit more complicated it involves contacting the hoster of the site to report abuse of their agreement with the "user" (the phisher) of the site. As this varies, the success to do so will also vary. Problems that come up are:
        1. Some hosters have non-working reporting pages, making it impossible to report it.
        2. Some hosters have no contact info for abuse or rules against this.
        3. Some hosters belong to a chain of domains, which makes it hard to find out who or where you have to report to.
          A bit of persistence is needed here to find the right party to contact.
      2. Please keep in mind those rules in dealingwith hosters:
        1. Only email directly or fill in a webform.
        2. Do NOT fill in personal details. Only a contact info as your email address would be ok.
        3. Do NOT create a account at the hoster, there is no point in that, for a abuse report should be able to be reported without one.
      3. Most phishing sites are hosted on free hosting sites where ads of the hoster will be shown on their site, or the site is severely limited, to get more they have to pay etc. Such websites will exist as subdomains of the free hoster's main site. Basically a phishing site will most often look like a 3 "word" domain name like:
        fakephishing.freehosting.site
        In this example, the Phisher has made a subdomain "fakephishing" under "freehosting.site". if you go to this "freehosting.site" and check out the site to make a report, or maybe make a email to "abuse (at) freehosting (dot) site" you can a little bit more often then not report it to them to let them take it down. Please find out on the site where/how to report it.
    As you can see, there is plenty you can do to end a phishing site's lifetime, and the phisher's hijacked account abusing.

    Q and A:
    Q. Why didn't you "promote" XYZ's browser protection voting feature?
    A. While voting is fine and dandy to solve something without a conflict, a phishing site is not a question of a vote. If you rely on a voting system/application to know if something is legit, you will find that its never really true. For a vote is not won by being right, its won by the number of ppl (read: bots) saying jay or nay.

    Q. Why didn't you include XYZ browser or XYZ antivirus?
    A. Seeing the considering length of this I had already enough to write. You can suggest sites by giving the relevant info, and they probably will be added by me later on.

    Q. SPAAAAAAM!!!!
    A. I know its long, but it beats phishing...

    /edit: SilentReaper updated 3-feb-2014.

    Hidden Content:
    **Hidden Content: Content of this hidden block can only be seen by members of (usergroups: Administrative, Moderating).**
    Oz' dak1ne likes this.
  2. Oz' dak1ne

    Oz' dak1ne New User

    Messages:
    189
    Steam:
    STEAM_0:0:11020111
  3. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    Sure, I'll maybe add that, but most just go offline directly after.
  4. Nero Chinki

    Nero Chinki New User

    Messages:
    3,208
    Steam:
    STEAM_0:1:30535511
    Maybe also good to add, if you get the invite to chat with a phisher through a group to screenshot that as well and get the leaders of said group to remove the guy out of precaution.
  5. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    the line is now just in general, not going to make that specific. Removal of individuals of a public group has no sense, for they can join it anytime, in fact they actually USE such groups for exactly that.
  6. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Edited the text and touched up some stuff.