All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Help! Raccoons took my penis! Nov 10, 2021 @ 3:40pm
Steam login page should state it should never be in a pop-up
Seen recently a load of phishing sites targetting Steam users and they have a login window which fakes a pop-up that contains an iframe of a fake login page. They try to make it look real (and if you are using Windows and light theme and aren't paying attention you may not notice, also sometimes they don't look at what browser you're using so they call the pop-up Chrome usually).

There's no reason for any legit site to ever have a pop-up, it's actually more effort to set up a pop-up rather than redirect someone to Steam to log in. Nowhere is it recommended to have a pop-up either. The login page should state that this page should never be shown in a pop-up.

Those who run phishing sites will snip that out however people might notice that the warning has gone and might tip them off. They should not be seeing this login page in a pop-up.

I have screenshots of 2 phishing sites (URLs are blurred) just to give an idea of what they look like.
1. https://cdn.discordapp.com/attachments/378081613331955712/908137551032885268/unknown.png - this website was taken down within hours of the first attempt but it had the most realistic pop-up I've come across (it's just that it thought I was using Chrome when I was using Brave and it assumed light mode). The window can be moved around but it can only exist in the page and not be moved out of the window, it can also be scaled and works exactly like a regular pop-up would. I am not aware of anyone having fallen for this site.
2. https://cdn.discordapp.com/attachments/378081613331955712/908137571861794856/unknown.png - this is a more recent and currently active site (they have been reported to everyone they need to be reported to) and despite it having a bad pop-up where the title bar is off the page and it cannot be dragged or scaled and the text on the header bar is way, and they had the audacity to say they are affiliated with Steam or Valve (which doesn't make sense, but they are willing to make edits), off I am aware of at least 1 person having fallen for this site.

I feel that adding a warning along-side the other warnings stating that logins should not happen through a pop-up should condition people to expect to see it when logging in as well as to expect to not see a pop-up because it should never happen legit.
Last edited by Help! Raccoons took my penis!; Nov 10, 2021 @ 3:46pm
< >
Showing 1-3 of 3 comments
Pscht Nov 10, 2021 @ 4:00pm 
Tl;dr: Never log in anywhere but Steam. People don't read anything, ever.
#1
[N]ebsun Nov 10, 2021 @ 4:08pm 
Yep, there is also quite a lot of writing on that screen already - I bet most people skim past everything and head straight to entering their login
#2
Help! Raccoons took my penis! Nov 10, 2021 @ 4:14pm 
Yeah but new coloured text people will notice the next time they log in to a legit site. They may not read it every time, I sure don't (but I still recognise that the orange text is meant to say they aren't affiliated with Steam or Valve and only noticed the edit when I was blurring their URLs and read it), but they will notice it when either it has suddenly disappeared or it's there while in a pop-up.

I don't expect adding this warning would save everyone, but it's how Steam phishing works and it would save some people.
#3
< >
Showing 1-3 of 3 comments
Per page: 1530 50

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Date Posted: Nov 10, 2021 @ 3:40pm
Posts: 3
Start a New Discussion

Discussions Rules and Guidelines