What about for other websites? How can I tell if a website is faked if I can't rely on the URL? For example, someone receives an email from his/her bank, clicks on a link, and is asked to login.
Comment has been collapsed.
Well... there is no one simple answer for this. If we are talking about emails, then the following is a good checklist:
- (If you are using reputable email provider, like outlook or gmail) Is it in your spam/junk folder? If it is, high chance it is fake.
- Check the sender. Is it "someone@paypal.com" or is it "paypal@weirdwebsite.com" ?
- Check the URL. Common phishing website still exists.
- Check for HTTPS (the lock). It doesn't really work as much these days especially free SSL is very common. Better ways is to check the lock, legit bank site should have their bank name on the lock (as they paid for higher tier SSL).
- If the email link brings you to a login page, close the page and Google for the official website to login instead.
Google made a quiz for educational purpose for this too. It's quite interesting, I have sent this to my family before: https://phishingquiz.withgoogle.com/
Comment has been collapsed.
That's good to know. I already knew to log in directly from Steam but I didn't know the Valve URL could be fake like that. Thanks for the heads-up.
Comment has been collapsed.
didn't knew this site at all. Pretty sweet for old peoples. Have sent it to my elders thx for the share.
Comment has been collapsed.
Totally agree on that. But I do remember my own password for some of the sites rather than using a password manager.
Especially when those passwords are used outside of browsers, like a desktop client (eg: Steam, Discord, Battle.Net etc).
Password manager have weaker integration on those.
Comment has been collapsed.
You put red blocks over the site name twice, but it's still listed in the text in the right of the login box.
Comment has been collapsed.
Why are we trying so hard to hide the guilty phishing website name??? This is NOT a violation of "calling out" of other SteamGifts users.
I see investigative journalism documentaries on PBS that are too weak to actually show the identities of their accused. Why is it that we are afraid of our own justice system, to instead kowtow to perpetrators instead?
Comment has been collapsed.
Well... for me, it's to prevent curious idiot from trying out the website themselves and fall victim.
Comment has been collapsed.
The scary thing about it is that url etc is not fake. Good to know. I already know the trick with login on official page first but this method is very dangerous... It could trick me as well in some circumferences (as it looks, especially address as totally legit and if it would be connected with page I trusted or something... ) .
Comment has been collapsed.
Here's the much cleaner version: Whenever anything asks you to log in to Steam, open a new tab, go to store.steampowered.com, log in there, and refresh the other site. If you still have a login prompt, it's fake.
Comment has been collapsed.
Thank you! Just a quick question: how is it possible to "wrap it around with a frame that displays legit Steam URL"?
Comment has been collapsed.
Getting technical here. You'll understand if you're a web developer.
The actual site that I am sharing here is the actual phishing site.
DO NOT try to enter your real account login (unless you really wanna get hacked).
URLs are censored to prevent misinformed clicks.
For safety, I recommend you use a fresh incognito mode in your browser to access.
The phishing site that I gotten is here: eplayfade (dot) com
Click on the sign in button, a pop-up will appear.
If you inspect element, you can see that the entire pop-up is fake.
The frame is created using divs, even the address bar and the fake SSL lock is created in divs and image.
The frame content is rendered using an iframe, the source of the iframe is a phished Steam login page.
HTML analysis here: https://imgur.com/D4FOFTl
Now, if you access the iframe source directly, it will brings you to the actual phished Steam login page:
https (colon-slash-slash) eplayfade (dot) com/hgCLn2HIR8/hpmexhgc34/f963k3xxbu?q=hgCLn2HIR8&s=0852937534eb66c5d941c3a3c7523a3b
Comment has been collapsed.
Interesting, I'll have a better look at it when I'm on PC... Thank you! :)
Comment has been collapsed.
if you're not using Chrome browser, the whole fake "pop-up" is obvious then ;)
Another reason to be using Firefox XD
Comment has been collapsed.
Well, interesting. I tried using Firefox and IE, they did made some effort to emulate those browsers as well.
Comment has been collapsed.
The url bar and padlock area in Firefox are very different, not to mention the dark theme I'm using while that fake pop-up was all white.
Here's what a pop-up window looks like for me:
Comment has been collapsed.
Not if the site uses iframe or a js dialog box.
The whole purpose of iframe and js dialog box is to load contents from another URL.
Even if there are browser plugins to force them to show up, those plugin will probably destroy the UI of some of the legit websites.
Comment has been collapsed.
There's another way to tell if a site is fake. If you have your username & password saved for a particular site in your browser it will automatically fill in the username/password on the login page (or if you have multiple accounts it should have a dropdown menu with the different usernames). But it won't autofill on the fake websites. So if you know you've saved your password for a website but it's not autofilling that should tell you something is wrong.
Comment has been collapsed.
Yeah, I use Keepass 2. If I don't know my own password, it reduces my chances of screwing up.
Comment has been collapsed.
thanks for the link mate. tried it and learnt from it
Comment has been collapsed.
Solution: Login into official Steam website first. Then only try to login to 3rd party website.
Yep. That's what I've been doing forever really. But I get how people get conned.
As for other phishing sites, and "regular internet users", it's a bloody massacre out there. My mom once sent me a link to "Amazon" asking me how come she couldn't log into her Amazon account. The url of the "Amazon page" was something like addfbdfsdiuj,ru lol
She actually started on Amazon and then searched for something and clicked an ad at the bottom of the search page... that sent her to an Amazon looking phishing site. That's right. Amazon displayed an ad on their own page that led to a phishing lookalike Amazon. Good thing she tried to log in (and forgot her password) before she entered her credit card anywhere. Duh.
Who gave parents the idea of using computers anyway?
Comment has been collapsed.
Yea, saw this few days ago. Really nice trick. Some dude posted warning and yt link on r/dota2, but it wasn't upvoted much to be noticed. https://www.youtube.com/watch?v=Bj3vxFc_vlM
Comment has been collapsed.
That was fun!
Apparently I am an average informed person and a suspicious one. :)
Comment has been collapsed.
You got 8/8 correct. All fakes were quite obvious, hard part was to trust the legit ones enough. Security becomes so much easier if you just assume everything is a scam unless otherwise proven, not the other way around.
Comment has been collapsed.
In this image https://imgur.com/vDaTiZw, if I click on and I get the message "secure connection" then I know it's a Valve site. What does it mean that the entire frame is fake? is it an image? I mean, https sites should be safe and certified by someone, when I click on it, it says "Valve Corp" as far as I remember
Comment has been collapsed.
See technical explanation here in this comment: https://www.steamgifts.com/go/comment/b0TJhno
The frame and the "Valve Corp" was created using HTML element and images.
Comment has been collapsed.
youtuber "diddle" actually already made a video regarding this scammer website
https://www.youtube.com/watch?v=Z94pVFWG_So&t=
Comment has been collapsed.
Nice awareness thread. Thanks for posting it, as I'm sure there's plenty of people who don't notice this.
It's one of the better tricks they use. Only easy to spot if you're into IT, but hard to spot for other people I guess.
Not surprising the domain is registered through a Russian provider (and using Cloudflare to mask the hosting provider).
Especially reg.com which is known for crap domains registered there. Even their abuse policy is clearly set to protect phishing sites; https://www.reg.com/support/abuse/#expanders=c0
Can anyone who visits them report them to Cloudflare at least? That can be done here: https://www.cloudflare.com/abuse/
That should at least have a slight impact on their illegal phishing practice.
Comment has been collapsed.
I'm not sure if reporting to Cloudflare works.
Normally when I encounter a website to report, I will just report to Google and hope they will do something about it...
Thanks though, I have reported to Cloudflare as well.
Even their abuse policy is clearly set to protect phishing sites
What do you mean by that?
Comment has been collapsed.
What I meant with that is that their abuse policy states things like "Therefore Registrar has no right to apply sanctions to the domain name on the basis of third parties claims. Domain administrator independently carries out domain management and is solely responsible for the materials, posted on its resources and and all actions related to the domain name." Which quite clearly is nonsense.
(And I've had experience with them ignoring abuse reports before which is why that Russian provider is not to be trusted.)
Cloudflare is generally cool. They tend to take action when given sufficient abuse reports :)
Comment has been collapsed.
Well, I think it's a bad translation.
For TLD, they aren't a registrar. They probably are just a domain reseller.
Reference: https://www.icann.org/resources/pages/registrars-0d-2012-02-25-en
For a list of all current ICANN-accredited registrars, please see http://www.internic.net/regist.html.
I think what they mean is, they do not have the power to suspend or terminate a domain. It is pointless to report to them.
But yeah, a responsible domain seller should have a way to let people report a domain abuse, and they should do some sort of investigation and report up to their registrar. They are just being irresponsible on this part.
Comment has been collapsed.
Not that it matters, but they are actually a registrar. (Which is the sad part, since ICANN cares more about money than actualy making sure there's a quality standard which is a personal pet peeve I have with them). They are listed on the Internic.net website as "Registrar of Domain Names REG.RU LLC".
So they do have the power to suspend or terminate a domain, they just want to make it seem like they can't for some reason. From what I gathered it's so people won't report to them. Which would make sense since I see them pop up more often with phishing domains than other providers.
Comment has been collapsed.
Wow, I had no idea that this was possible. Thanks for bringing it to attention!
One thing that gives the "popup" away is that I can't move it out of the browser window, but I wouldn't even try that if I'd just wanna log in. Plus the address bar looks kinda weird but still!
I'm kinda speechless right now, I mean you gotta say that this is pretty smart :P
Comment has been collapsed.
Yeah. You cannot move the "popup" outside of the browser window.
But you can't dismiss a website based on just that, because some legit website DO use this kind of popup for some of their forms. It is not a very good UI/UX design choice, but people still do that.
Comment has been collapsed.
Hmm I never noticed. You really gotta watch out nowadays :P
Comment has been collapsed.
If you see this link do not click on it !!
hteeteepees://magnat-giftDOTcom/
Giveaway roll for free steam game
The page says it's sponsored by Humblebundle but it is not.
DO NOT CLICK ON IT !!!!!! (well.....don't do the steam api login)
It is a steam account hijacker.
Your steam account will instantly be locked from your login password
It also drops about 6 cookies so clear your cookies if you've been a victim.
Comment has been collapsed.
Yep, I've done it this way for years. Definitely should be your default way to log in.
Comment has been collapsed.
Thank you for this post. Very informative and useful. There is a warning before accessing page and even if I press "enter anyway" it seems like they deleted all the content so I can't actually check it out by myself.
I am not sure I understood fully your explanation. Did they just create whole fake pop-up window inside website -> No actual window was created -> You could not move new pop-up next to your browser on the monitor.
Is that it? Or some different technique was used?
Thank you in advance for any reply.
PS: If someone have saved that source code. Please let me know, I would love to inspect it myself.
Comment has been collapsed.
Yes. They created a fake pop-up window inside the website.
I guess, if you really want to study the techniques, I can try to recreate a dummy phishing site for you to see (when I have the time).
Comment has been collapsed.
Thank you for making it clear for me. Don't worry about making a dummy. I have seen this type on a few websites before (not steam related). I hope we won't see much more of them out there. It is quite easy to fall in this trap.
Comment has been collapsed.
I personally never login from any browser, because I don't want to save password and session (and avoid entering the steam guard code every time).
The desktop client is already logged in, so I just open the steam console (steam://open/console) and go to the desired website with the 'open" command (open https://www.steamgifts.com).
Comment has been collapsed.
What has always baffled me is why people even log out of Steam on their browsers. Are they using the client to do everything on Steam and having a much worse experience?
Comment has been collapsed.
Steam periodically kicks you out. It's not really a choice.
Comment has been collapsed.
But then the first thing you do is log back in to use Steam, not go to random websites. And it hasn't really been happening that often recently unless you're trying to use it during the weekly maintenance or other random downtime in my experience. Other than for buying games the last time I had to log in was when I reinstalled Windows, after that the cookie has persisted.
Comment has been collapsed.
Well, visiting said "random" website usually is how you experience that you get logged out of Steam (since for example Steamgifts stores it's own info so if I get logged out I wouldn't notice here).
It's been happening very frequently for me (of course I do use Steam shared between various different devices).
Comment has been collapsed.
I guess if you never use Steam for anything, but I check it several times more daily than I visit a new random site requiring Steam login in a year. Too many devices does sound like a probable cause, I only have it on 1 PC and 1 phone any more so no random logouts for me.
Comment has been collapsed.
Because I do not usually use the "Remember me" for most websites. Not everyone use that. Probably most people don't use that.
Several reasons. Shared PC, work PC, just don't have that habit, etc.
Comment has been collapsed.
Most people prefer silly extra hassle then if it's their own PC. Shared home PC should have own user accounts for everyone so not a problem either and at work it's better to just SSH tunnel to home than to get random malware from shady sites to your work LAN.
Comment has been collapsed.
You talk like everyone knows how to SSH tunnel to home.
Do you have a home SSH server to tunnel to? Do you leave your home network up all the time, just to tunnel to home for a Steam login?
Comment has been collapsed.
No, I talk like that's what everyone I know is doing if they want to do private stuff like that at work. Most don't have this need and if they do, they are probably some kind of IT nerds so they know how to very well. Rest are just using Facebook on their phones or whatever the trendy social media is today.
Anything works for that, even a RasberryPI or similar and what kind of barbarian shuts down networks at home. Then you can for example RDP over the tunnel having your own home PC to fully use without leaving any traces on the work PC.
Comment has been collapsed.
Even if people leave their home network up 24/7, most people don't leave their home PC on 24/7.
There are more people in the world who have limited access to the Internet than those who live in a more fortunate place.
I can't even buy a Raspberry Pi near my place. It isn't sold anywhere near me. Only place I can reasonably acquire one is buying online, and the shipping fee isn't even justifiable.
My home ISP only offers at best a 4 MB/S Internet plan. Not to say, my cousin's house is still using a 1 MB/S plan.
Tunnel back home just to browse Steam store is a very stupid idea, when the office have a way better fiber Internet.
Living in the top 10 country that has the best Internet speed must feel good huh.
Comment has been collapsed.
Most people don't use Steam either at least to the extent that they have any need to access it during work. All of my computers have always been on 24/7, there simply is no reason to constantly power them on and off.
Or similar, there are plenty of choices for a small cheap home server if you want one. And they can always be ordered online from other countries.
Using the work PC to browse shady sites that could potentially infect your whole work network is the very stupid idea here. You could just work for couple minutes and make the money to buy that free crap the scam site is offering yourself. If you have your mobile authenticator with you, you can already use Steam on your phone.
Here work usually has a much crappier line than homes, mainly because it's shared between everyone. And yes, it feels good when a 100Mbit Internet is considered a basic human right as it should be.
Comment has been collapsed.
Well, I AM accessing Steamgifts during work, right now. Which uses Steam login.
It is quite reasonable for people to browse some websites for 3-5 minutes every hour or so during work downtime. Doing 4-6 hours non-stop of highly focused productive work is rare.
Electric bill is one big reason to turn off home PC when not at home.
Power surge is one big reason to turn off network when not at home (yeah surge protector exists, but with enough frequency of power surge, even the surge protector needs to be replaced, which costs a lot).
Not saying about using work PC to browse shady site, just saying that not everyone use the "Remember Me" feature to keep account logged on to websites. I even posted this PSA using my work PC, because when at home, I would rather spend the time to play games than to browse website and post PSA. LOL
Comment has been collapsed.
SteamGifts is bit different, here they scam you to give away free games and then steal your levels.
That's another thing that feels good, there are no such surges here. Even blackouts are rare and happen once in 5 years or so. Joys of all cables being underground.
Well obviously it's better to do stuff like that for work, some people even save #2 toilet visits to work to get paid for providing content. :)
Comment has been collapsed.
first rule of getting a link from someone on facebook/steam or anywhere. never click it. the fact you even clicked it makes me question your love for security. and not a very good friend to just report and block him after it. it wasnt his fault he was hacked
Comment has been collapsed.
DO NOT LOG IN ON THIS ONE!!!!!
But is this one of those?
http://www.flastcrown.net/
Comment has been collapsed.
What i should do now..
I mean .. should i drop here the account that have been most likely hijacked to make people know to avoid him?
Should i report him to Steam that Steam have possibilities to give the account for the real owner?
I really need some help what to do now. I really don't want to see anyone lose their accounts and also i'm afraid of my own account.
Thank you already for your answer
Comment has been collapsed.
I think you can get banned for calling out specific users here, or something like that
You should still report him to Steam though
Normally you can also report the whole domain to the registrar, for phishing/internet fraud in this case
According to ICANN, the site was created a couple of weeks ago, and the registrar is reg.ru, but their site is written in russian. There is a link to the international version though, which is reg.com
There you can go to Report Abuse -> Internet Fraud, and they have a contact email there
I would use a disposable address though
Good luck
Comment has been collapsed.
Well ... i think i have done enough since he blocked me and that's good ( i think )
Yea.. since there is a hacker.. he surely knows how to make my life even more miserable than it is right now...
I hope luck is with all of us and specially with all those hacked accounts.
Comment has been collapsed.
Warnings about specific users are also quite pointless because everyone in their friend list already knows because they spammed the same crap to them. So just report on Steam and wait for original owner to get account back.
Comment has been collapsed.
Few days ago, a "friend" of mine invited me to join their team for Dota tournament, and then I was introduced into a phishing website. Working as a professional web developer myself, I can't help but to compliment the website first before report/blocking that friend.
The phishing website is very well done! I can understand how a normal person can easily be scammed.
I think it is good to educate people on the Internet on one very easy way to spot & avoid phishing website like this.
Solution: Login into official Steam website first. Then only try to login to 3rd party website.
Legit website that uses Steam login will NOT ask for username/password again if you are already logged in.
This is what you should see: https://imgur.com/r2RPYV9
Phishing website nowadays uses a fake iframe that copies the Steam login page, and then wrap it around with a frame that displays legit Steam URL. I can put more detailed technical explanation if anyone is interested.
Phishing website screenshot: https://imgur.com/vDaTiZw
My technical explanation here: https://www.steamgifts.com/go/comment/b0TJhno
Comment has been collapsed.