And yet I have seen two threads about specific users saying they where hacked today.
Comment has been collapsed.
Natural selection...... if someone is stupid enough to think that a random "guy" add you to steam for give a free game when you click on an strange web...... this "stupid" deserve all the scams posible.
Comment has been collapsed.
Except if you actually read the issue, you would realise it's not a random guy, its main vector is through friends.
The thing about friends who actively speak with one another, they sometimes send each other links. Depending on the typing style of certain friends, it might sound somewhat in-character.
The most successful one I saw actually posed as a link to an image, but the address was slightly off. The page it linked to wasn't a direct image but an address that threw the trojan at you. Some peoples browsers/AVs intercepted it immediately, not even downloading. Some weren't so lucky. A major part of phishing is presenting a believable front so that people don't turn their scrutiny onto it. For instance, people trust the official steam authenticator with good reason, so another method of phishing was to recreate the authenticator log-in page as closely as possible.
People no more 'deserve' to be scammed for not noticing concealed signs than you 'deserve' to be punched if you don't duck quick enough. 'Deserving' primarily something means a morally justified result, not 'it is an expected result'.
Comment has been collapsed.
Not just that, some people may just click by accident considering how jerky steam chat can be in a browser
Comment has been collapsed.
And did they accidentally type their Steam username and password into a fake Steam login window while not noticing the URL was nothing close to Steam's?
Comment has been collapsed.
possibly. im only putting forwards the likelyhood of misclicking due to steam chat being utter crap.
Comment has been collapsed.
Thing is, URL usually is pretty close to stearncommunity.com
Who noticed RN instead of M? :D
Comment has been collapsed.
Not on this one. I went to the site using a VM through a VPN to see it out of curiosity. They didn't even bother masking the URLs (or Firefox prevented it). The URL showed up as: https://www.rolldatgamex.com/auth?domain=www.rolldatgamex.com#
All of the links on the fake login page aren't masked and are the same as above. The the Steam menus (Store, Commnunity, About, Support) were the same URL and didn't function. The language at the top right was set to another language, although the page was still English, and changing it to another language didn't change the language.
Comment has been collapsed.
And this is why social engineering is interesting 👏
Comment has been collapsed.
It's a fun subject but I can't bring myself to look too deeply into it, as my exposure to social media makes me depressed enough about the mechanisms people use to justify nasty treatment of one another. Social matters can be exhausting to observe from the outside. xP
Comment has been collapsed.
and again, anyone who use his pass and account in a random web for get "free things" deserve any scam.
what are we monkeys with the intelligence of a stone??
in my case even before join this web 2 years ago i asked everywhere before for know how "legal" it was, so if you get scammed it's because you are a "monkey". sorry that's the truth, in this life no one give "dollars for cents" (or duros por pesetas in my language) (one duro it's 5 pesetas, one dollar it's a lot of cents or pounds or whatever it's said in english language)
Comment has been collapsed.
Did you just decide to not read my bit about the word 'deserve'?
I'll put that one down to the language barrier I suppose.
You still joined up on this site, which is for "free things", using the authenticator. No matter how much research you did into the site itself, it only takes a tiny lapse in perception to miss a phishing site, as the visual design can be mimicked down to the pixel, and web addresses can be spoofed switching "m" for "rn" and lower case "L" for upper case "i". Phishing itself relies on mimicry and camouflage, background checking doesn't make you immune, it just validates the authenticity of something that can be mimicked.
Not every phishing hit is due to haphazard behaviour, and social engineering behind it can be subtly effective. The very existence of the authenticator login page is something of a comforter to people, giving a sense of security that can be abused. And you're right that it's rare for people to give more than they get, but you say that like freebies aren't a thing that are frequently seen on this very site. The forums often scout extra free key giveaways, and these are done to benefit the creators or the hosting sites as a form of advertisement or luring point for sales on other games.
Yes, people need to be more cautious, and treat all digital exchanges as they would a typical email with an embedded link, but the majority of people learn caution through making smaller mistakes. If you have never been exposed to malware and never had your wake-up call, it can be easy to be lured into a false sense of comfort by the sight of an authenticator. The pointless judgements you're dishing out in the face of people getting their accounts jacked doesn't speak too positively about your own mental refinement.
Comment has been collapsed.
You say that, but
https://www.steamgifts.com/discussion/VxFE8/so-my-steam-account-just-got-hacked
https://www.steamgifts.com/discussion/GCxxD/need-help-fast
were just posted ...
Comment has been collapsed.
There was also one yesterday I think with the same link as these two from the looks of it. I just got a message from a friend who sent that same link so its spreading fast. People just cannot resist a free game unfortunately.
Comment has been collapsed.
Comment has been collapsed.
You say that, but people tend to trust people. Plus, free games aren't some mysterious things. Instead, free games are extremely common in these circles and I personally know multiple people who share free deals they've noticed with me. If one of those people shared it with me, I'd be skeptical due to the link, but I'm also very paranoid.
There's a reasons accounts get hacked. Discounting the believability of these types of messages does nothing more than shame those that got screwed over and just makes you look like someone who lacks any empathy and no real perspective on the world around you.
People like us are a minority. People who waste so much time online that it'd take a lot to trick us. But we're the minority. Most other people have more varied lives and so they don't have the time to learn every aspect of the Internet.
Comment has been collapsed.
I'll second that. Great comment. 👌
I guess there is a reason you are on my whitelist
Comment has been collapsed.
Thank you for your great comment.
Every time i seem people claiming phishing is obvious and only stupid ones fall for it I'm like
Comment has been collapsed.
There's always something out there that will catch us off guard if it were applied to us. No one smart enough to catch all phishing methods and that's why I don't really approve of people having a massive hubris around this subject.
Your mom texts you, "I was just in a car accident, but I need you to transfer at least x amount of money to the mechanic's EBAN. My bank account's messing up. Don't worry, I'll pay you back. Please hurry though. <3"
Would you transfer? I mean, many won't, but some will. And having "some" fall into that trap is enough to make it lucrative. I'll fall for a scam again in my life. No question about it.
Actually, in the opposite side, my paranoid being meant that I lost out on a 5€ gift card for a store. I didn't trust the link and it expired. The next day I found out that it was a legitimate thing that the store was doing. So technically I fell into a scam that my mind created for myself through paranoia.
Comment has been collapsed.
I wouldn't go as far as massive hubris.
Thing about situations you're not aware of is that... you have no idea they can happen.
I myself I'm little curious how our brain works, how we see things, and short version is, our brain lies to us all the time. Because its sorta more cost effective that focus on every detail of everything.
But then again, it backfires at us every now and then.
Comment has been collapsed.
I just tend to use hubris as per its definition, which basically is "excessive pride or self-confidence". Main emphasis on the self-confidence in this topic obviously, since pride wouldn't apply here. Wasn't a jab at the user or any users like him, but instead just an observation.
But yeah, the overall topic is really fascinating in my opinion. By the way, thanks for the kind words before :)
Comment has been collapsed.
Reminds me when I texted my gf about something being molded and got a return message she was in the hospital.
I didn't believe it, but really, I couldn't really risk it IF it were real.
She was "joking."
I was pretty pissed off about that.
Comment has been collapsed.
But she caught me on the counter (It wasn't me)
Saw me bangin' on the sofa (It wasn't me)
I even had her in the shower (It wasn't me)
She even caught me on camera (It wasn't me)
She saw the marks on my shoulder (It wasn't me)
Heard the words that I told her (It wasn't me)
Heard the screams get louder (It wasn't me)
She stayed until it was over
Comment has been collapsed.
Didn't knew the rest of the lyrics were that lewd.
Comment has been collapsed.
just got this message from a Steam friend, went to his profile to warn him and what do I see? A warning comment from you posted 7 minutes ago ;p
still, one would think that veteran with thousands of GAs made, thousands of games owned would know better than fall for such an obvious scam :(
Comment has been collapsed.
clicking the link is not the problem...connecting to Steam on that site is
Comment has been collapsed.
Yep, had that message today from a hacked friend account too. Be careful right now.
Comment has been collapsed.
Received the message earlier today from someone in my friends list. Didn't think much of after the first message, after second one I just removed the friend. The name on the account didn't ring any bells and the link was to a site not known to me so it was easy to just dismiss it.
Comment has been collapsed.
I got the same messages today. You can report the user account to Steam as being compromised.
Comment has been collapsed.
thanks for the heads up, I had a minor issue when I was a total newbie on Steam and I clicked on a chat link, fortunately it was just an old virus that basically took over my chat and spammed a message to all the contacts (and if they clicked on the link, it would do the same and spread to all their friends).. it opened a page written in Russian and my Steam friends told me that it was something used years ago to transfer all the inventory items to an account (that had been closed years before, so I don't know how that virus still was running xD)..
well, I changed passwords and everything (fortunately it affected only my chat with the spam messages, no other issues) and I became aware of these things, it's important to spread these warnings.. for instance I got to Steam after years and years in which I didn't play a single PC game, so the only things I knew were about world of warcraft and ultima online.. I've been so stupid but I learned from my errors and never clicked again on any kind of link xD So best of luck to those who got affected and thanks again
Comment has been collapsed.
(._. ) i fell for that shit now im waiting on steam support to work their magic
(in my defense i had just woken up and didn't think twice about one of my long time friends telling me i can go to a site for a free game)
Comment has been collapsed.
Haha, I was warned that you were probably compromised since me and that person were mutual friends.
Literally 3 seconds after responding, I got the message from you :D
These things happen. No reason to feel embarrassed or that you have to defend yourself. Stuff happens and we just need to try and learn from these situations. You'll probably be way more paranoid about links for a while now whether you mean it or not.
Comment has been collapsed.
Thank you all for the heads up warnings. Just got the message. Be careful everyone.
Comment has been collapsed.
Got that message x4 from one friend. Not suspicious at all /s
Checking the account it seems wiped clean, nothing showing at all. Reported but not really knowing them irl not much else I think I can do for them.
(You might want to add PSA: to the title)
Comment has been collapsed.
same , just got a message fro ma friend and it was a site called spindat gamex , it was obvious lol
Comment has been collapsed.
Valve needs to work on that. Hard. What's the point of an authenticator if anybody using the "sign in through steam" feature, which is basically everywhere (and unavoidable in some cases) just lets anyone hack into your account and disable the authenticator without any email confirmation or any secondary approval??
Comment has been collapsed.
Agreed, it doesn't seem to stop anybody from anything.
Comment has been collapsed.
Not to mention that it would be fairly easy for Valve to implement an additional layer of email confirmation.
Shame on them! But who knows what they were thinking as they designed their 2FA model?!
Comment has been collapsed.
GOG has a code sent to your email, every time you log in. I find it really annoying. I prefer how HB or Uplay do it (Authy and G Authenticator).
Comment has been collapsed.
How would email be any better? If they are stupid enough to login to a phishing site, they are stupid enough to confirm login via email.
Also some idiots have the same email username/password, as on some already leaked sites.
Comment has been collapsed.
The e-mail could mention stuff like IP and country.
That could also be added to the Steam Auth.
But it would be useful if I got an email, if there's a login from a different browser/device, like I get for my Google account.
Also from your previous comment:
and when you do set up 2FA "properly", then you never ever receive a single e-mail notification/warning/confirmation when the authenticator is being used.
What do you mean by that? I get a notification on my phone when the Steam login asks me for 2FA. If someone gets your credentials and tries to login, you should get a phone notification with the 2FA code. Unless you somehow give it to them, they shouldn't be able to login anyway.
Comment has been collapsed.
They actually USED to do that. I remember getting mad having to verify my tablet or firefox logins over and over with a code.
I just thought they fixed it, rather than removed it entirely in favour of the SGMA :/
Comment has been collapsed.
I'm missing something here.
Everytime I put my username and password, Steam asks for my authenticator code (even if I'm logged in, and I want to add money to my wallet).
If I click the "Sign in with Steam" feature, there are 2 scenarios, either I'm already logged in or not. In case A, Steam doesn't ask me for my username or password, it just let me in. In case B, it will ask for my username and password, and just after that, for my authenticator code.
I really don't see the flaw in Steams flow, and at least for me, is working like a charm (and yes, my email and password had been powned, and a couple of months ago, I received like 1 token notification per hour in my cell phone, until I changed the password)
Comment has been collapsed.
Well, I don't know how they gained access to the accounts they hacked but I do know that you can disable your authenticator without any further confirmation once you're signed in which is pretty much the same as having an alarm inside your house that can be disabled with one button. Once somebody has your key, the alarm becomes useless if it can be disabled by just anyone.
That was my point. Now I have no idea how they tricked the log-in process.
Comment has been collapsed.
Again, if you have the authenticator enabled, to log in, you need the code, otherwise, you won't be able to access.
And you do receive an email saying the authenticator was disabled, and it has a link to lock the account.
The system works as intended, and if you enable it, it is not like a house alarm, that can be disarmed for the outside. Is like a normal house alarm, that you arm/disarm with a code.
Comment has been collapsed.
I think it works like this. When you click on the button to sign into Steam, the website takes you to a fake website that looks like Steam. Then you give your account name and password to the site to sign in and then it will ask you for the 2 step authentication code. Once you give it the code, the fake website can immediately sign into your Steam account, disable 2 step verification, change email and password.
Comment has been collapsed.
Yeah, it's really damn weird. I thought that signing in through Steam would only give them access to some basic information about your account or something like that. But I guess I was wrong.
More than just a slight oversight.
Comment has been collapsed.
I mean, you go to "steam scam.com", you give them your login, you give them your password, you give them your 2FA code, what do you expect to happen?
Of course first thing they'll do is go to "steam real.com", use your login, use your password, use your 2FA and disable everything.
Comment has been collapsed.
Maybe it's to late, maybe it's still time for... some little advice? Mine is: always reply with some strange question (but not necessarily rude one!) after receiving message "you won that or another game" kind. If there is no respond - assume it was send by bot and ignore link!
Comment has been collapsed.
it's 2019 and people still don't activate 2 step authentication? I can't believe it (apart of login in in a dubious site that says it will give user AAA games for free)
Comment has been collapsed.
https://www.steamgifts.com/go/comment/FtGtJw0
Thanks Valve for your "security".
Comment has been collapsed.
Every time Steam ask me for my password, it ask for my security code.
If I use the sign in with Steam, and I'm logged in, if it ask for my password, then it will ask for my authenticator.
When I changed cell phones in july, I needed to disable the authenticator, and I got an email saying it was disabled.
On top of that, I also got that link. I also click the link, and I also got PUBG for free (yay!), it asked me to log in with Steam, I clicked the link, and the first suspicious thing I noticed, is the pop up had about:blank in the url, instead of steam's url, I opened the iframe link in another tab, and got to a self hosted page, very similar to Steam. everything there was a dead link (download client, login, TOU, etcetc.etc).
So it's not thanks to "Valve security", it thanks to people thinking they were going to get a free AAA in some dubious site, and not having the authenticator enabled, because it too much of a trouble to enter 5 characters everytime you log in. And also, not paying attention to what they are doing and where they are signing in.
And no, I not a cyber security genius, indeed, both my email and my old password, are available in https://haveibeenpwned.com/
Comment has been collapsed.
This fake login page also fakes asking for the authenticator code. Now they have all the info needed to login into Steam and disable 2FA and change the password. People with authentificator are being affected, too.
Comment has been collapsed.
Seems from here and your reply to my linked topic you don't understand how this phising works. It indeed, as the user above states requires your id along pass to "login" the fake site and immediately uses that info to hijack your account.
Wheter you use 2FA or not makes no difference since the users themselves subvert it, thinking it's a legit login.
Comment has been collapsed.
Which is why you should never login on browser using any other site than steam's own site - https://steamcommunity.com.
If you're logged to Steam-browser, then any other site will log using your saved steam-credentials.
If some 3rd-party site will ask for login after you logged on https://steamcommunity.com, you are being phished.
Hopefully you all we be able to understand what I mean?
Comment has been collapsed.
I understand. But while that's indeed very wise I know I personally could never be bothered to take that extra step everytime. Especially with Steam loving to knock out my login every 2 hour or so (especially orlygift especially got logged out almost instantly for some reason :/)
Comment has been collapsed.
OFF TOPIC [ON]
Almost everybody with a Dropbox or LinkedIn account in 2012 has been pwned... because those websites were hacked at that time.
Not really linked with users "geniusness".
OFF TOPIC [OFF]
Comment has been collapsed.
Report the site at:
- https://www.cloudflare.com/abuse/form
- abuse@reg.ru ( https://i.imgur.com/azktdOS.png thanks ScourgeTM)
- https://safebrowsing.google.com/safebrowsing/report_badware/ thanks Sooth
Comment has been collapsed.
Reporting to Google Safe-Browsing (https://safebrowsing.google.com/safebrowsing/report_badware/ ) should always be your first stop, as that's the service that all the major browsers (with the exception of Microsoft Edge, which uses SmartScreen) use for intercepting known malware sites as they're loading [see attached image for example].
Comment has been collapsed.
Right, i forgot that in my short explanation.
Good that you wrote the comment to add it.
Comment has been collapsed.
thanks for the info sweety but no one can hack me! because i am crazy!
Comment has been collapsed.
Thanks for warning.
And also in this case I am safe because of my language:
- my friends use just my national language
- if I get any text, that is translated into my language, then I will be 100% sure, that it is fake, because our grammar and sentences are too complicated...
At least this time I am happy for our complicated language :-))
Edit: my native language is Czech
Comment has been collapsed.
Expect a new scam message to be sent to you in Czech soon.
No-one's exempt, and you don't ever need to feel left out ;-)
Comment has been collapsed.
Yes, I'm safe from similar reason (Polish language), but I've got many friends on Steam from other countries who are using english. Just like that bot spamming message.
Comment has been collapsed.
So all I gotta do is give my steam account and I get a shiny free game? Sounds like a deal.
Comment has been collapsed.
Thanks for the heads up...I hope everyone gets their accounts back.
I tried bringing this website to everyone's attention a month ago and and got a lot of heat for it when I posted the message and link. it was from a random steam message in Japanese just like a few others have reported.
Here is how i found out it was a scam...without having to sign-in:
Whatever game you win, during the countdown...the visible part of the game key remains the same.
We need Moderators to be more involved and send out messages when issues like this are first discovered, rather than complain to have the links taken down.
Comment has been collapsed.
💙 for you
I've always had a special spot in my heart for Vigilantes 😊👍
Comment has been collapsed.
We need Moderators to be more involved and send out messages when issues like this are first discovered, rather than complain to have the links taken down.
- 01000100 01100001 01101101 01101110 00100000 01010010 01101001 01100111 01101000 01110100
Comment has been collapsed.
Hope you all get it sorted out. 👍
It's a shame there's scammers in abundance everywhere. But I'm sure support will handle it, as always.
GL all.. and be wary of the:
Comment has been collapsed.
Haha not having anyone to talk to on Steam finally paid off! I'm safe
Comment has been collapsed.
Oh, I thought you were joking about me but dang. Just logged in and got some phishing spam from keo
Comment has been collapsed.
Same!
Now you know why I did not add you on steam :blobevil:
Comment has been collapsed.
Sometimes there's benefits to being a loner! Is it odd to feel bad for getting left out of this social engineering ploy? Am I not as important?
Comment has been collapsed.
Comment has been collapsed.