All Discussions > Steam Forums > Steam Community > Topic Details
CorrugatedBox Feb 17, 2020 @ 4:11pm
Fell for Phishing Scam due to complacency
Just wanted to share my story of a recent phishing scam that I fell for on steam.

Now, a little bit of background, I am someone who comes from the IT field and have done yearly "Anti-Phishing" training modules that show how taking the moment to look for obvious things (i.e. bad spelling/grammar on web page, suspicious links, etc.) can help distinguish a Phishing site.

Now, Here is how the story happened:

I was playing Heroes and Generals with a friend and was in mid-battle, We were barely winning, however, my friend tabbed-out to help his friend.

Apparently his friend asked him to visit a website to vote for his team to participate in a CS:GO Tournament, where the winners would receive $10,000 or $20,000 (can't remember exact amount).

His friend, who was also on my friends list, reached out to me next and asked me to go vote for his team. I could not remember who this was, but my friend told me that they've known each other for a while.

So, in a hurry to go ahead and vote to help a friend, I went to the website. When I clicked "Sign-in" I was redirected to a steam login page, where I signed in to steam (big mistake).

I went to "vote" for his team, however, the website did not function properly when going to look up the team.

Due to my rush in wanting to help a friend and being used to seeing the steam sign-in on some 3rd party sites, I did not take the time to properly investigate the site, which at a 2nd glance had some obvious grammar issues.

How did I figure it out? Thankfully, one of my friends knows me on discord and reached out to me.

Once I found out this, I went and started to reach out to my contacts to warn them, changed my password, reset my codes (for some reason all of my codes through steamguard at the time were "P8WND" (or "P8WNED"). and worked to secure my account.

Lessons Learned: Don't become Complacent. Don't use my steam account on 3rd party sites that I don't trust/know.

How I currently feel: Pretty Stupid

Edit 1: After Verifying with my friend, we did actually enter our steam guard code. Steam Guard did its job, I just did not do mine.

PS: The friend I was playing the game with also fell for the phishing scam, he was just unaware of the phishing scam as I was.
Last edited by CorrugatedBox; Feb 17, 2020 @ 4:24pm
< >
Showing 1-10 of 10 comments
76561199006003180 Feb 17, 2020 @ 4:21pm 
Originally posted by Karasuda:
So, in a hurry to go ahead and vote to help a friend, I went to the website. When I clicked "Sign-in" I was redirected to a steam login page, where I signed in to steam (big mistake).
Yes, that was the big mistake. Never will I be able to fathom why people think it’s a good idea to follow random links and enter their login credentials just because the site asks for them. If there was some random email you got that said you won a million dollars and had a link that asked for your credit card number, surely you wouldn’t enter it, right? So why would you with your steam account?

Either way, you’re not alone. Several others on this very page have done the same, sadly.

Last bit is, steam guard can’t save you if you enter that information too. It’s to protect you if somehow someone gets your username and password, but if you’re the one supplying that information AND the code, obviously there’s not much it can do to protect you.
#1
Theblaze Feb 17, 2020 @ 4:21pm 
Originally posted by Karasuda:
[...] How did I figure it out? Apparently, my steam guard was useless at protecting my account and the same phishing attack was attempted my friends list. Thankfully, one of my friends knows me on discord and reached out to me. [...]

Steam Guard works as long as the user knows how to use it "correctly" and sharing your auth code to a phishing site is not the way to use it
Originally posted by Karasuda:
[...] There are ways around 2nd factor authentication, it is not the end all be all. [...]

Nope, nothing was bypassed. You shared the auth code to a phishing site, you should NEVER EVER do that.
#2
CorrugatedBox Feb 17, 2020 @ 4:23pm 
Originally posted by Theblaze:
Originally posted by Karasuda:
[...] How did I figure it out? Apparently, my steam guard was useless at protecting my account and the same phishing attack was attempted my friends list. Thankfully, one of my friends knows me on discord and reached out to me. [...]

Steam Guard works as long as the user knows how to use it "correctly" and sharing your auth code to a phishing site is not the way to use it
Originally posted by Karasuda:
[...] There are ways around 2nd factor authentication, it is not the end all be all. [...]

Nope, nothing was bypassed. You shared the auth code to a phishing site, you should NEVER EVER do that.

Thank you for prompting me to verify with my friend if we were asked for our steam guard codes or not....

....Oh god...I did enter my steam guard code.....

Let me Edit my main post for that correction....
Last edited by CorrugatedBox; Feb 17, 2020 @ 4:25pm
#3
Zekiran Feb 17, 2020 @ 6:01pm 
Hopefully you've done these things:

Scan for malware. https://www.malwarebytes.com/

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key https://steamcommunity.com/dev/apikey
** If there is nothing in the API key area, that’s fine. If there IS something, remove it. Nothing should be there.**

No items that have been traded away during this time will be returned to you.

Change your Email’s password on your computer for safety

Also report the account’s profile as scammer, and STOP visiting 3rd party trade sites!!
#4
CorrugatedBox Feb 17, 2020 @ 6:18pm 
Originally posted by Zekiran:
Hopefully you've done these things:

Scan for malware. https://www.malwarebytes.com/

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key https://steamcommunity.com/dev/apikey
** If there is nothing in the API key area, that’s fine. If there IS something, remove it. Nothing should be there.**

No items that have been traded away during this time will be returned to you.

Change your Email’s password on your computer for safety

Also report the account’s profile as scammer, and STOP visiting 3rd party trade sites!!


Funny enough I think I found your post on another thread with all of these steps and followed the ones that I had not already completed.

I appreciate that you are sharing this this list of steps. Sadly the person who reached out to me asking me to go to this site to vote was also a victim, whose account was being used to try to fool others. (Like mine was used for after they got a hold of it). I am not sure if reporting that account would be of any help/benefit
#5
Zekiran Feb 17, 2020 @ 7:14pm 
Yeah, they almost always are already scammed.

If you know them in REAL LIFE, get ahold of them. but if not, they're compromised until proven otherwise. I'm glad that you found the instructions, so many people don't.
#6
NeXuS23 Feb 18, 2020 @ 2:10am 
Well Steam Guard like all those TOTP-things from yesteryear aren't phishing proof, that's why U2F / FIDO2 was developed which is not only safer but also more comfortable.
#7
J4MESOX4D Feb 18, 2020 @ 2:17am 
Phishing scams can take many forms whether it be a gambling, trading, charity or tournament site. If there is a Steam Login window, you have to be incredibly vigilant regardless of the site's purpose or origin.
#8
Kaizer Jul 12, 2021 @ 3:08pm 
Yea, I got scammed because I'm a big dummy. Check your friend's list for anyone who is Blocked and unblock them. They're the people your account messaged.
#9
banned sar Jul 13, 2021 @ 2:14am 
rip :(
#10
< >
Showing 1-10 of 10 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Community > Topic Details
Date Posted: Feb 17, 2020 @ 4:11pm
Posts: 10
Start a New Discussion

Discussions Rules and Guidelines