So you decided it was a good idea to post the link and help the scammers? Good job, man...

You report it through the profile of the user who sent you the link.

remove the links otherwise you're going to be seen AS the scammer in question...

Why do you need Steam to protect you from scammers?

Oh hey it's yet another incarnation of the "vote for my team" phishing scam.

I've seen this style before, many times. Complete with fake browser window.

This is probably the most sophisticated style of phishing site I've yet seen. And they've been using it for months now. They put up a site, it stays up for a little while, it shuts down, they put it up with a different name at another URL, rinse and repeat.

Цитата допису cSg|mc-Hotsauce:

You report it through the profile of the user who sent you the link.

:qr:

Except the person who sent it has no idea the real hacker is using their account. STEAM GUARD is suppose to protect from people logging in to their account but it isn't in this case. A lot of people have been getting SCAMMED and it is completely through STEAM they are scammed. Reporting the person does nothing because the actual person who is controlling their account is from Moscow and has many more accounts in wait. Steam needs to fix its STEAM GUARD because somehow these people found out how to bypass it.

The people sending you the link are ALWAYS your friends who have been compromised. If your account was used, it was used to get your friends. Then your friend's account is used to get their friends. It is a process they have.

Цитата допису Quint the Alligator Snapper:

Oh hey it's yet another incarnation of the "vote for my team" phishing scam.

I've seen this style before, many times.

Complete with fake browser window.

Yeah, except this one somehow is using the Steam API to actually verify that you are really logging into steam. I tried doing it with fake accounts and fake passwords, it wouldn't accept them so they figured out a way to interface with steam to make sure the accounts and passwords are accurate before giving people an error message.

Цитата допису WillWolf76:

Цитата допису cSg|mc-Hotsauce:

You report it through the profile of the user who sent you the link.

:qr:

Except the person who sent it has no idea the real hacker is using their account. STEAM GUARD is suppose to protect from people logging in to their account but it isn't in this case. A lot of people have been getting SCAMMED and it is completely through STEAM they are scammed. Reporting the person does nothing because the actual person who is controlling their account is from Moscow and has many more accounts in wait. Steam needs to fix its STEAM GUARD because somehow these people found out how to bypass it.

The people sending you the link are ALWAYS your friends who have been compromised. If your account was used, it was used to get your friends. Then your friend's account is used to get their friends. It is a process they have.

Steam Guard is *supposed* to protect people, but that doesn't mean it necessarily has a mechanism to allow it to do so.

What would you like Steam Guard to prevent?

Цитата допису WillWolf76:

Цитата допису Quint the Alligator Snapper:

Oh hey it's yet another incarnation of the "vote for my team" phishing scam.

I've seen this style before, many times.

Complete with fake browser window.

Yeah, except this one somehow is using the Steam API to actually verify that you are really logging into steam. I tried doing it with fake accounts and fake passwords, it wouldn't accept them so they figured out a way to interface with steam to make sure the accounts and passwords are accurate before giving people an error message.

It's a fake "sign in through Steam" page that's designed to look like the real "sign in through Steam" page. Complete with fake browser window with fake address bar with fake security logo and name on the address.

It's quite well-designed, and can easily fool anyone who doesn't already have an active Steam login on their browser and also know that "sign in through Steam" should be a one-click affair.

Whatever you enter gets passed to a real Steam login on the other end. If you enter the wrong info, the Steam login will error, and this will also tell you an error. If you enter the right info, the other end will prompt the login for a Steam Guard code, and so this site will also ask you for a Steam Guard code which it then uses on that other end.

Цитата допису Fake:

Why do you need Steam to protect you from scammers?

STEAM GUARD is suppose to be a two factor protection that makes it so that you can't log into your account unless you use your phone to get a 5 character key to verify it is really you. These people found a way to BYPASS it meaning steam failed with its STEAM GUARD somewhere. If I had to guess, they are using an algorithm and that algorithm was in the code for the app they just pulled apart to find. This way they never need your phone to get the 5 characters. Knowing how encryption works, they should have made it so that something the attacker doesn't know (like maybe the phone number) is used a key for the code since you have to register a phone to activate it.

Цитата допису Quint the Alligator Snapper:

Цитата допису WillWolf76:

Yeah, except this one somehow is using the Steam API to actually verify that you are really logging into steam. I tried doing it with fake accounts and fake passwords, it wouldn't accept them so they figured out a way to interface with steam to make sure the accounts and passwords are accurate before giving people an error message.

It's a fake "sign in through Steam" page that's designed to look like the real "sign in through Steam" page. Complete with fake browser window with fake address bar with fake security logo and name on the address.

Whatever you enter gets passed to a real Steam login on the other end. If you enter the wrong info, the Steam login will error, and this will also tell you an error. If you enter the right info, the other end will prompt the login for a Steam Guard code, and so this site will also ask you for a Steam Guard code which it then uses on that other end.

Yeah, basically. I also noticed that there are only 2 ports open with this web site, 80 and 443. 443 is usually used for emails but since there is no SMTP server at all and I tested the port, it isn't an email server. I believe they are using 443 to interface with the web site to get the information they have been stealing from people. Some info from examining it more detailed.

Sorry to say but if you fall for that nonsense then you're really not paying any attention to what you're doing.

It starts with the alleged robot check which is obviously fake. And that Steam login page... just looks ridiculous. It's so obviously not a real window but a javascript construct that it's IMO laughable. Just click on the bar to move it out of the way and you'll see.

This is also why it helps to use a tabbed browser, with legit websites the login page gets placed onto a new (dedicated) tab, yet here a weird window is floating on your screen? Even though most browsers block pop-ups?

If that doesn't ring any alarmbells... then you're not paying enough attention.

(edit)

Цитата допису WillWolf76:

STEAM GUARD is suppose to be a two factor protection that makes it so that you can't log into your account unless you use your phone to get a 5 character key to verify it is really you. These people found a way to BYPASS it meaning steam failed with its STEAM GUARD somewhere.

Nonsense.

No protection scheme can protect a user from giving the keys away themselves which is exactly what is happening here. People provide their Steam username, password and security code to the scamming website which will then use said information to take over.

This is no different from installing a lock that can't be picked, and then giving the key to some stranger because.. "reasons". Then blaming the locksmith for selling a broken lock.

Цитата допису WillWolf76:

Цитата допису cSg|mc-Hotsauce:

You report it through the profile of the user who sent you the link.

:qr:

Except the person who sent it has no idea the real hacker is using their account. STEAM GUARD is suppose to protect from people logging in to their account

Doesn't help when you provide someone the things needed to access your account.

"I gave the keys to my house. The door should have been able to prevent them from getting in"

Цитата допису WillWolf76:

So there is a SCAM going around based on a web site called -snip link-. This is a web site based out of MOSCOW (Russian Operation) that steal STEAM ACCOUNTS. A lot of you have probably already seen the messages, you get a message from your friend saying they need you to help them vote for their team on -snip link-. You go there and it requests you to login through your steam account to vote or play. There is no game on the web site, you always get an error when you log in. They are there only to steal your account. Once they have it, they use your account to message your friends to try and steal their accounts.

Don't post links to phishing sites on the forum, you report it to Steam support and they add it to block list at some point.

There people that dumb enough to try out phishing sites despite them being told what it was, that how dumb some people can be, hence don't post the link here.

Цитата допису WillWolf76:

My question for STEAM DEVS is what are they doing about this and how come STEAM GUARD is not protecting us from them? They found a way to log into accounts that have STEAM GUARD enabled and they bypass it completely. I am curious as to what is the point of STEAM GUARD if some Russian hacker can easily bypass it?

When you report it to Steam support they get around to adding it to the block list, which is why you report it, it's impossible for them to track every possible website on the internet.

Steam guard is a 2FA if you don't know what 2FA is, it's Two-factor authentication, as it's a tool, this tool was not created to STOP, but to deter hijackers from trying to brute force your account, even if they know your login name, a code from the 2FA is needed to complete the login, but here the problem, people that get hijacked, normally fall for phishing attack such as yourself, how it works, you give your login details to them, and you gave them the 2FA code, and they're in, that simple, the Steam guard doesn't stop people from logging, it only make it a problem for those trying to force their way in, hence brute force, and by providing all the details, including the 2FA code, you made the tool useless, and gave them access.

Цитата допису WillWolf76:

So now this is out in the public. You can't REPORT it to steam because Steam doesn't have a real option to do that (annoyed searching their support for doing this because steam hasn't set it up properly for this). So I would love steam to contact me to let me know their plans on handling this and protecting their customers from these scammers. At the least they should BLOCK the web site that is doing the scam (so the scammers can't tell if the passwords are real or not when the person logs in).

Steam help section > My account > Data related to my account > scroll to the bottom click on contact support. Can't miss it.

I suggest learn more about internet safety, so you don't fall for another phishing attack in the future.
https://steamcommunity.com/discussions/forum/7/3084376689324641195/#c3084376689324897217

Цитата допису Seretti:

So you decided it was a good idea to post the link and help the scammers? Good job, man...

thats not so good idea