So this afternoon I received a comment on my Steam profile. It was from some Level 0 private profile, and it said: "Hi m8, i want trade with you. need this items?" and some imgur-like link. I foolishly clicked it, thinking it's some imgur-like service, but things got fishy when it auto-downloaded an Image03.scr program. Thankfully it didn't launch automatically, but of curiosity I decompiled the program. This is what I found inside:

http://screenshooter.net/8304312/xwkdirw

As you may be able to tell, it automatically trades your items and posts comments to your friends. Also the guy left his SteamID (76561198161767786) in there. You can already see he took some items.

So if you receive a comment like this, DO NOT click on the URL and report him.

10 years ago*

Comment has been collapsed.

I think we are all aware from pishing links, it's nothing new

10 years ago
Permalink

Comment has been collapsed.

What i dont understand, why can a program automaticly trade your items away. And what is Steam Support doing about this pishing stuff?

10 years ago
Permalink

Comment has been collapsed.

Because steam support can't help you if someone is stupid and downloads virus and open it.

Program auto trades because you download it and run it, to click on unknown link and download and run program you need to be very stupid.

Let's say you let stranger in house, is police fault if you get raped in house by that person that you saw for first time and you let him in ?

10 years ago
Permalink

Comment has been collapsed.

You clearly dont know enough about computers to be casting blame on other users. Its not a program that you implicitly have to download, IE file-> save as, and it certainly doesnt require user input to be ran. You need to look up the term, "drive by downloads" it has been and continues to be a problem on websites and this is just another iteration of the attack. This is an auto run script to put it plainly.

The ONLY issue that you have as being a valid, although weak, source for being a prick towards another user is that they clicked an unknown link, but I can almost guarantee that in the 12 years youve been alive, youve done that same thing at least once.

10 years ago
Permalink

Comment has been collapsed.

I disagree and almost everything you said is false .

Steamstealer works on this way:

You need to click on link then you need to download file, it will be auto downloaded if you haven't set browser to "ask where to save" (also mistake on your part if you have autosave in browser), and then when saved you need to run it.

If you do those 3 things, then it is your mistake, it is not steam fault, they can only ban person that did this to you and maybe return you items if you contact them but it is not their mistake when you lose items, they provided you good protection but sadly sometimes there is no way to save users from their own stupidity.

10 years ago
Permalink

Comment has been collapsed.

I don't know what version of this scam you've encountered, but the file downloaded is a bit trickier than you described.

It can be named "IMG_xxxx", and have an icon that looks like an image thumbnail. If you're running on default settings in Windows, file extensions won't be shown and there's almost nothing that would differ it from an actual image file.

Considering the download usually comes from an image related site, chances are that the user will assume that it was an image that was downloaded. Which shouldn't be a threat.

Falling for something like that is something that could happen to anyone imho.

10 years ago
Permalink

Comment has been collapsed.

Just don't click ANY links from random strangers messaging you. Simple as that. I suppose it is harder for people who actually like to trade items, but since I don't, I just blanket ignore anybody not in my friends list.

But even if you do like to trade, there is no reason to have to link to anything. Steam is built in a way that you can view each other's items without 3rd party links at all. So if they use a link of any sort, that should send up red flags.

10 years ago
Permalink

Comment has been collapsed.

Random strangers? You get that link from your infected friends on Steam.

10 years ago
Permalink

Comment has been collapsed.

No one should use the default setting for not showing file extensions, NO ONE! Yes even if it's a very very dummy user because not showing extensions does more harm than good in the long term, BTW any user with two fingers of forehead and some time gets accustomed to extensions and prefer have them than not!

10 years ago
Permalink

Comment has been collapsed.

Running over a red light could also happen to anyone - doesn't mean it's not your fault for doing it.

I've often thought there should be some kind of internet license, where you have to prove you're not a thread to other internet users before you may use the internet :P

10 years ago
Permalink

Comment has been collapsed.

I talk about same scam you now described.

Your pc should show you when you get popup to download file that file is scr, if you have autodownload in browser then it is your mistake, if you don't have show file extension set up then again it is your mistake.

To get scammed not that you need to click on weird link but you also need to download file, and that is time when you should notice that file is scr, executable file.

Ofc file will be autodownloaded if you didn't set your browser to ask you where to save file (your mistake if you didn't set this) but if you have this set up then you can just cancel download.

Then you need to run file, and again if you set your pc to show you file extensions you will see that file is scr and not png or w/e he faked.

This is not steam fault, it is user fault, steam can only help to get scammer banned and get your items back but noone should blame steam when users are the ones who download weird stuff and run executable files...

10 years ago
Permalink

Comment has been collapsed.

+1

10 years ago
Permalink

Comment has been collapsed.

The question is why such a program is even able to make stealth trades in the first place, not how it got on a users system, and why the Steam client can't prevent this from happening.

Something as simple as a captcha could probably end SteamStealer for the most part. But captchas are annoying, so that's probably out.

10 years ago
Permalink

Comment has been collapsed.

More annoying than losing your account? xD

10 years ago
Permalink

Comment has been collapsed.

Not only that, but a sufficiently advanced bot could use an OCR library to get past any captchas. Although, a good captcha would work, I guess.

10 years ago
Permalink

Comment has been collapsed.

Absolutely nothing. Don't you know that they have other, more important matters to attend to?! I mean if Steam Support doesn't eat all those hamburgers and fries, then McDonalds will most definitely achieve world domination. Personally, i'm grateful for their numerous contributions to the study of "How morbidly obese can a person get without collapsing onto themselves and creating a black hole"

Thanks again Steam Support

But seriously, just don't click on anything from a stranger. Stranger-danger 24/7 kids.

10 years ago
Permalink

Comment has been collapsed.

If you run an executable on your computer, it could potentially do anything you could do yourself. It's like if they went to your home and sat down in front of your computer. There's not really anything Steam can do about that.

What should be fixed here is the security problems in browsers and operating systems, making it easy for these scammers to trick users into running them in the first place.

10 years ago
Permalink

Comment has been collapsed.

Only thing they could do - return items to you. If you'll prove you were stupid enough to click that kind of links.

And unless that dude is from US, they can't SWAT him...

10 years ago
Permalink

Comment has been collapsed.

Couldn't steam just disable posting links to profiles?

10 years ago
Permalink

Comment has been collapsed.

there is a setting where you can turn it off to random people or just everyone in general. i have mine set to friends only i believe. if not im gonna take the time to do it now lol

10 years ago
Permalink

Comment has been collapsed.

Unfortunately this is only related to comments in general, not links specifically.

10 years ago
Permalink

Comment has been collapsed.

but what if someone that is not your friend needs to contact you? setting it public is easier and more doable than becoming friends with everyone on steam.

10 years ago
Permalink

Comment has been collapsed.

I usually talk to anyone that may not be on my friends list via in game if its chatting or things like that, or i have my steam trades page that people also can get to me through. It has cut down on my spam links and those PNG. file hacks so thats why i do what i do

10 years ago
Permalink

Comment has been collapsed.

it's your profile. i don't advise you to do something you don't want to. i'm just saying it's sometimes frustrating not to be able to contact with someone. considering people tend to ignore random friend requests, setting it to public is sometimes useful. if i ignore someone's random friend request, same goes for them too. they can see that they can leave a comment in my profile.

10 years ago
Permalink

Comment has been collapsed.

Steamstealers eh? Filthy xenos!

10 years ago
Permalink

Comment has been collapsed.

Turn off auto download files to folder. Make it with ask user in which folder.

10 years ago
Permalink

Comment has been collapsed.

Learn to use the web, thanks.

(hint: NoScript)

10 years ago
Permalink

Comment has been collapsed.

No wonder it can't be detected as virus.. It's using standard .Net libraries.

Edit: He didn't even obfuscate his code!

10 years ago
Permalink

Comment has been collapsed.

Avast detected it as a virus.
The fun thing it does is sending a link to all your friends, so I've already received this message twice. Now, I know .scr is just another name for .exe, and not some kind of screenshot, so I never opened it, but Avast still alerted me.

If you get this message, alert your friend. The first one I alerted immediately changed his name to $name DO NOT OPEN ANY LINKS FROM ME.

10 years ago
Permalink

Comment has been collapsed.

thank god i did'nt do any click on that type of links

10 years ago
Permalink

Comment has been collapsed.

What's the person's Steam profile?

10 years ago
Permalink

Comment has been collapsed.

got the same a few hours ago, already deleted it though.... they seam to appear in waves...

10 years ago
Permalink

Comment has been collapsed.

this are bots and they are alot. One ID will not help you.

just do change posting in comments to friends only and never ever click a link in steam

10 years ago
Permalink

Comment has been collapsed.

All I get on my profile is comments from random individuals linking to some awkward hentai pictures :(

Still, always good to know what else is lurking around the corner. Anyone think creating a thread that cathalogues all types of these would be helpful? Just to be able to open it and check the list if someone gets some weird shit sent to them.

10 years ago
Permalink

Comment has been collapsed.

Allright, you cunts can stop now, this was NOT an invitation to try your shit with me. Honestly, it wouldn't work, and all you're achieving here is giving me the extra work of ignoring your friend requests. Seriously? Sending me an automatic message like "InvalidPassword" is supposed to work? Get outta here.

10 years ago
Permalink

Comment has been collapsed.

should be using https for steam, never click any link without https on it

10 years ago
Permalink

Comment has been collapsed.

does "avast" not pick these phishing auto downloads up or something? or does avast not know they are bad

edit i get them all the time, but i have no balls to click them. ive never clicked a link from someone in steam before and dont plan to cuz i know better. but i am curious if avast would save me if i did

10 years ago
Permalink

Comment has been collapsed.

This is why i don't allow messages from non-friends and i don't friend random lvl 0 requests which i'm flooded with all the time.

10 years ago
Permalink

Comment has been collapsed.

I have same comment on my profile :)

10 years ago
Permalink

Comment has been collapsed.

private profile -> not a single scammer in 10 years.

nice job in decompiling and looking into it. best protection as always: brain 2.0

10 years ago
Permalink

Comment has been collapsed.

Reported, Fak I hate bad guys

10 years ago
Permalink

Comment has been collapsed.

Closed 9 years ago by bartek360.