所有討論 > Steam 討論區 > Steam Community > 主題細節
RedNeckSnailSpit 2022 年 7 月 26 日 下午 5:50
Steam Phishing/Discord Nitro Scam
I want to preface this by saying that the account that was stolen in the following story was not one I ever planned on using. I created it years ago, forgot about it, and tried to create a new account just to see what these scammers were up to, only to find out about the pre-existing account. I was 100% expecting the account to be stolen in some way or another, and used it with the sole purpose of seeing how this scam works, and if it was possible to recover the account at all.

So here's how it starts: Some random user posts a few links in a Discord server claiming there's a free Discord Nitro giveaway. These are 1 month or 3 month subscriptions, and all you have to do is sign up with your Steam account.

I was already feeling like this is likely a scam, before I even saw the sketchy looking links. After clicking the links, the site gave me a quick run down of the Discord Nitro perks, the subscription time, etc. and had a button to sign up. Clicking it then either opens a popup window (Which in my case, using Opera GX, did not allow me to see the URL used to log into Steam), while the other takes you to /something/login on the actual site itself.

So I had a look at them and initially decided to see what happens if I enter an non-existent account and random password. So I used some profane words in the username and password, and was told the account does not exist. Curious. So I decided to create a new account and see what happens then.

So I used an old email address on the real Steam site to create a new account, then I logged in with those credentials, expecting to be told my account name does not exist. Turns out it I was wrong.

I was welcomed like any other Steam login, and was then told I needed a code sent to my email address to complete the login process. I got the code, entered it into the login page, and was told the code was incorrect. So I checked my email again, and strangely Steam had sent me a second code. So I entered that one. I was then told my account was successfully logged in, and was good to go.

After this, I went to the real Steam and attempted to log in again (As I was automatically signed out after logging into the scam site), only to find that my password had been changed. I checked my email again, and was told my account's email address was changed. So clicked the recovery link.

Steam then asks me to attempt a login, which of course did not work since both the email and password were changed. I then Clicked the button under the login form stating that I could not log in, and it asks me if I could try using a code sent to the associated email address. Of course I can't, because the email address was changed and I never had access to it in the first place. So I then clicked "I no longer have access to this email address" (and never did) and was greeted with a lovely page essentially stating "You can't do anything, because your account was self-locked. Try again later."

Of course, trying again later will only ever result in the same issue.

I honestly expected more from the recovery system. I clicked the link well within 5 minutes of having the account stolen, and there is literally no way on this platform to recover the account, regardless.

The login process is very similar to that of logging into steam through any other site, or on Steam itself. The page looks identical, the login process is identical, and the only clues are the sketchy URLs and the second verification code. Steam does say never to enter these codes onto untrusted sites within the emails, but the code is so much larger than any other text, and stands out so well, and honestly who cares about what was said before or after the code in that email anyway? I don't know a single person alive who would ever read that email instead of just copying the code and pasting into the login page.

If there was simply some way of recovering the account through the link sent by Steam when the email address is changed, it would have recovered the account in no time. Instead, because the account was instantly locked at the same time that the email address, username, and password were all changed at exactly the same moment, the account will now be lost forever.

On the bright side, I can now use the email address to create new accounts and experiment further with these scammers.

Just wanted to share this story, and my disappointment in the account recovery system.

I highly recommend setting up a free email account with some online service (Gmail, Yahoo, Live, whatever you like) and creating a free secondary Steam account. Use a unique password on the account, and make sure it's an account you'll never miss. If you ever find yourself on a website you don't trust, use the new "throw-away" account to log in, and if the account is stolen, you've lost nothing. Instead, you can now use the same email address to create a new throw-away account and keep your main account for the actual, legitimate websites.
最後修改者:RedNeckSnailSpit; 2022 年 7 月 26 日 下午 5:54
< >
目前顯示第 16-21 則留言,共 21
SqueakyTweaky 2022 年 7 月 27 日 上午 9:40 
Been happening for years , older people might not fall for it but if you let your children play use the internet then at least educate them of the dangers and what are the dos and nots online when you have valuable stuff .
#16
nullable 2022 年 7 月 27 日 上午 10:01 
Ah yes, won't someone please think of the children...

Well maybe if the experience is painful enough the child, and children are quick learners, will get it together because they'll wish to avoid the hassle in the future.

There's nothing particularly special about Valve's account recovery or the challenges you experienced. It's kinda the risk when we're still flinging ASCII around in emails to manage account security. It's not optimal, but as most of the Internet is made out of scotch tape and bubblegum, it's what we've got. Sorry you're just learning that today.
#17
C²C^Guyver |NZB| 2022 年 7 月 27 日 上午 10:27 
引用自 RedNeckSnailSpit
引用自 C²C^Guyver |NZB|
If you can't be asked to read anything, then you shouldn't be surprised that you got yourself in this situation. You didn't bother to read anything that Valve says, but you want others to read what you say? Again, your account was hijacked, not stolen.


I never said I never read any of it. Clearly you didn't get passed the first paragraph.
You clearly did not read or your account wouldn't have hijacked.
#18
C²C^Guyver |NZB| 2022 年 7 月 27 日 上午 10:31 
引用自 RedNeckSnailSpit
Let's get some things straight here:

I created the account and used it solely to see exactly how the process works. I had absolutely no intent of ever using the account or ever logging in ever again. If it was lost, it was lost, and I couldn't care less.

For those of you who believe yourselves to be "smart" adults who would never fall for this, good on you, but keep in mind that this platform is available to anyone over the age of 13, and last I checked a simple checkbox saying "I agree that I'm at least 13 years of age" never stopped a 10 year old from making an account.

This post was never about recovering the account. I couldn't care less about that. This post was about expressing disappointment in the account recovery system, when children who are much more susceptible to these scams may end up losing accounts worth a fair amount after their parents bought several items for them, especially over the holiday periods.

The simple fact that these scams have been around for years is a clear indication that they work. If they did not work, the scammers would have moved on to another method or another platform. If you're not a 13 year old child getting caught in these scams, good for you, keep doing what you're doing. This post is not here for you. This post is purely my own expression of pure disappointment in the account recovery system.

If a younger user does ever end up falling for this, which would not be surprising in the least, that account will be lost, and the scammers would have won however much the account may have been worth, either through resale of the account, or through transfer and sale of items to another account.

Stating "just don't log into dodgy sites" is not protecting anyone. Stating "This has been around for ages" is not protecting anyone. Without a viable account recovery system, any other form of attempting to protect user data and ownership is completely lost to the wind.

I'm not concerned about the preventative measures already in place. Those are already about as good as they can get. I'm concerned about the recovery measures. Without adequate recovery measures put into place, any account taken over by a scammer or hacker of any kind, is as good as gone.
Us 'smart" adults know that you broke the SSA by using Steam at the age of 5....

"Steam is not intended for children under 13"

https://store.steampowered.com/subscriber_agreement/
最後修改者:C²C^Guyver |NZB|; 2022 年 7 月 27 日 上午 10:46
#19
Judgmental Amaterasu 2022 年 7 月 27 日 上午 10:45 
引用自 RedNeckSnailSpit
Let's get some things straight here:

I created the account and used it solely to see exactly how the process works. I had absolutely no intent of ever using the account or ever logging in ever again. If it was lost, it was lost, and I couldn't care less.

For those of you who believe yourselves to be "smart" adults who would never fall for this, good on you, but keep in mind that this platform is available to anyone over the age of 13, and last I checked a simple checkbox saying "I agree that I'm at least 13 years of age" never stopped a 10 year old from making an account.

This post was never about recovering the account. I couldn't care less about that. This post was about expressing disappointment in the account recovery system, when children who are much more susceptible to these scams may end up losing accounts worth a fair amount after their parents bought several items for them, especially over the holiday periods.

The simple fact that these scams have been around for years is a clear indication that they work. If they did not work, the scammers would have moved on to another method or another platform. If you're not a 13 year old child getting caught in these scams, good for you, keep doing what you're doing. This post is not here for you. This post is purely my own expression of pure disappointment in the account recovery system.

If a younger user does ever end up falling for this, which would not be surprising in the least, that account will be lost, and the scammers would have won however much the account may have been worth, either through resale of the account, or through transfer and sale of items to another account.

Stating "just don't log into dodgy sites" is not protecting anyone. Stating "This has been around for ages" is not protecting anyone. Without a viable account recovery system, any other form of attempting to protect user data and ownership is completely lost to the wind.

I'm not concerned about the preventative measures already in place. Those are already about as good as they can get. I'm concerned about the recovery measures. Without adequate recovery measures put into place, any account taken over by a scammer or hacker of any kind, is as good as gone.

All you did was waste a bunch of time making a PSA that will not be read by the people it's aimed to. Just like the thousands of other PSAs.
#20
rawWwRrr 2022 年 7 月 27 日 上午 10:56 
引用自 RedNeckSnailSpit
I'm not concerned about the preventative measures already in place. Those are already about as good as they can get. I'm concerned about the recovery measures. Without adequate recovery measures put into place, any account taken over by a scammer or hacker of any kind, is as good as gone.
And yet users who lose their account because of scams recover the accounts all the time.

The few exceptions are those who created accounts with throwaway contact details and can't ever provide factual data to prove they are the account owners, or those that bought/borrowed the account from the true account owners and can't provide the correct answers to Support's questions.

I don't think you ever clearly outlined what you consider a failure to the recovery process.
引用自 RedNeckSnailSpit
Steam then asks me to attempt a login, which of course did not work since both the email and password were changed. I then Clicked the button under the login form stating that I could not log in, and it asks me if I could try using a code sent to the associated email address. Of course I can't, because the email address was changed and I never had access to it in the first place. So I then clicked "I no longer have access to this email address" (and never did) and was greeted with a lovely page essentially stating "You can't do anything, because your account was self-locked. Try again later."

Of course, trying again later will only ever result in the same issue.
Did you actually try again later or did you get up to this point and decided, instead, to provide us with this topic?

I've not had to go through the recovery process but I find it hard to believe that after the account is locked, which is an option for the account owner to help protect the account, that there is no ability to continue recovery.

When we have people showing up in the forums asking for recovery help, someone will almost immediately provide the following guide which has helped countless others navigate through the menu options:
https://steamcommunity.com/sharedfiles/filedetails/?id=1126288560
最後修改者:rawWwRrr; 2022 年 7 月 27 日 上午 10:57
#21
< >
目前顯示第 16-21 則留言,共 21
每頁顯示: 1530 50

所有討論 > Steam 討論區 > Steam Community > 主題細節
張貼日期: 2022 年 7 月 26 日 下午 5:50
回覆: 21
開始新的討論串

討論區規矩與守則