Valve already issue statements regaurding account security and scams.

https://support.steampowered.com/kb_article.php?ref=1266-OAFV-8478&l=

People fall for phishing sites all the time, click links and enter their steam account details plus email information. Valve have many safe guards in places to protect users but some users choose too ignore the warning and end up being phished, hijacked and have infor stolen. End of the day, the end user is the weakest link in the chain.

We already have a setting to "Allow destop Web browsers to automatically log into Steam sites" in our settings to help prevent the phishing.

I am mainly curious about the specific method and routine used by the scammers.

Redirected fake login screens that phish all entries typed in, moves the info over to a script that auto enters the info into steam in a browser, changes info around and/or trades all items out.

That is just 1 method I saw being used.

Originally posted by cSg|mc-Hotsauce:

Redirected fake login screens that phish all entries typed in, moves the info over to a script that auto enters the info into steam in a browser, changes info aroud and/or trades all items out.

That is just 1 method I saw being used.

:qr:

That is a common method of attack but I have not seen any evidence that this is specifically what is being done.

Originally posted by Toast:

I am mainly curious about the specific method and routine used by the scammers.

1) Have the victim enter their login details (including Steam Guard code) on a fake login website
2) Log in on the real Steam website using these details (and before Steam Guard code expires)
3) Change their avatar and profile description to something threatening, usually something like: you are vac banned. then leave a note saying "you have 1 hour to trade your items" or something along those lines.
4) Now obviously no one wants a VAC ban so they send the trade over to another account (such as their alt)
5) The original trade gets cancelled and then a bot disguises himself as the exact name and picture as the receiver and sends another trade.
6) The user confirms the trade through their Steam Guard app and the trade is complete. The person doesn't even know what hit them.

Why is this so smart? Because it allows to bypass Steam Guard completely, of course. If they see some dodgy trade being made from the account, they are not going to confirm it at all. Instead, threaten the user and hi-jack the trade.

Honestly one of the most elaborate and smart scams I've seen

It's just an old scam dressed up a bit differently. I think it's designed in a way that reduces the trace of a hijacking as the user retains access to their account but the underlying scripts in action take control of the inventory and trades. The scammers not taking direct control of the account could mean that accounts related don't get flagged and banned and the phished items remain active without getting locked.

Originally posted by gwait:

Originally posted by Toast:

I am mainly curious about the specific method and routine used by the scammers.

1) Have the victim enter their login details (including Steam Guard code) on a fake login website
2) Log in on the real Steam website using these details (and before Steam Guard code expires)
3) Change their avatar and profile description to something threatening, usually something like: you are vac banned. then leave a note saying "you have 1 hour to trade your items" or something along those lines.
4) Now obviously no one wants a VAC ban so they send the trade over to another account (such as their alt)
5) The original trade gets cancelled and then a bot disguises himself as the exact name and picture as the receiver and sends another trade.
6) The user confirms the trade through their Steam Guard app and the trade is complete. The person doesn't even know what hit them.

Why is this so smart? Because it allows to bypass Steam Guard completely, of course. If they see some dodgy trade being made from the account, they are not going to confirm it at all. Instead, threaten the user and hi-jack the trade.

Honestly one of the most elaborate and smart scams I've seen

Right. They can't verify the trade without access to the user's phone, but they can scare the user enough to get them to trade their own items out and verify it for them.

But couldn't the same thing be accomplished by infecting the user's computer by tricking them into downloading something and then grabbing their login + steam guard? How do we know for sure which one is being done?

Originally posted by Toast:

But couldn't the same thing be accomplished by infecting the user's computer by tricking them into downloading something and then grabbing their login + steam guard? How do we know for sure which one is being done?

Because people put so much trust into these gambling sites and a lot of them also confirmed that they entered their details.

Originally posted by gwait:

Originally posted by Toast:

But couldn't the same thing be accomplished by infecting the user's computer by tricking them into downloading something and then grabbing their login + steam guard? How do we know for sure which one is being done?

Because people put so much trust into these gambling sites and a lot of them also confirmed that they entered their details.

That's not proof. Gambling sites can easily be scams without grabbing the user's account and steam guard code with a fake login page. The ones which last the longest are the ones which go to the trouble of appearing legit and yet rig the games behind the scenes.

There is also the website trader trick which you enter the details and it says scam.com is not associated with valve but people enter anyway and there is 2 outcomes 1 harmless ban trick and 2 real ban.

So this has just happened to me (check my name history).

I started a game of Arma 3 and a few mins later I was contacted by an account named 'VAC BOT #9854', telling me my account will be banned or some stupid crap like that. https://prnt.sc/lbzffg

I realised this person must be on my friends list if he sent me a message so I checked his profile and noticed my avatar in the top right corner was gone.. so I went into my profile and saw that my name was changed to VAC BANNED.

I never log into any sites, share my passoword with or do any stupid things. I also use Mobile Authenticator so even if someone managed to get a hold of my password then they would have needed the code from my phone to access my account.

Originally posted by VAC BANNED:

So this has just happened to me (check my name history).

I started a game of Arma 3 and a few mins later I was contacted by an account named 'VAC BOT #9854', telling me my account will be banned or some stupid crap like that. https://prnt.sc/lbzffg

I realised this person must be on my friends list if he sent me a message so I checked his profile and noticed my avatar in the top right corner was gone.. so I went into my profile and saw that my name was changed to VAC BANNED.

I never log into any sites, share my passoword with or do any stupid things. I also use Mobile Authenticator so even if someone managed to get a hold of my password then they would have needed the code from my phone to access my account.

DO NOT TRADE YOUR ITEMS!

Your account was compromised.

Scan for malware. https://www.malwarebytes.com/

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes.

Revoke the api key https://steamcommunity.com/dev/apikey

All my items are there and I have not traded them.

Password is changed. I have MalwareBytes and the scan didn't show any threats. I have also deauthorized all devices.

Follow all the steps.