As someone that fell for it :( here is how it works.
The target website has a "Sign in through steam button" which when pressed transfers you to a typical steam login page, only its not hosted on steam, as all phishing scams its only meant to look like it.
Once you login with user name and password - a popup appears for the mobile authenticator code. The login never completes but keeps spinning a loading icon - which I believe is part of the scam as well to delay you as much as possible.
The login is somehow checking to see if the user exists because I re tried it with random fake usernames and it never went past the first stage.
Purpur3141's suggestion here is the best way to go (as a general rule to logging in to any site via steam) :
https://www.steamgifts.com/discussion/2JLw2/psa-my-steam-account-was-compromised-but-it-is-back-to-normal-hopefully#O3bPZJS
Comment has been collapsed.
Purpur3141's suggestion is good, but I use a password manager. If I don't see my login information, I know it's not a legit site.
Comment has been collapsed.
i dont have much experience with password managers since im my best manager but this sounds interesting and at least i could learn something about that... how secure it is or if it can be tricked...
Comment has been collapsed.
I think your method is probably the best way for people that don't use password managers to build a good habit. I just find my way easier in general for all sites.
Comment has been collapsed.
sometimes they have you download a "picture" that i assume steals every password saved in your browser or worse.
i get these yahoos all the time being a trader. to everyone just Never click links from people you don't know (sometimes even if you do know them if they look out of place). if you have a trade thread up go to it your self. use this same idea for emails. i almost got had by a paypal email if i had used the link the email gave me.
Comment has been collapsed.
Just got a message from him as well and sent a notice to the steam support. Thanks shadow! :)
Comment has been collapsed.
i would like to say that will never happen to me but i think you just have to be unfocused or distracted by personal problems etc... escpecialy depressions can make your brain working on a very unsecure way...
i hope i choosed right words and it's understandable.. :P
Comment has been collapsed.
as someone who fell for it (and I don't even own cs;go) I just went there out of curiosity, besides being stupid all I can say is that it was a momentary lack of judgment as I am very aware of phishing scams and generally have good knowledge of it security... what can I say its stupid... without it being an excuse I was working at the time and I took a break to check it out... never thought I would fall for something like that but fall for it I did... not much to say... it was stupid....
Comment has been collapsed.
You have to remember that sometimes the person sending the message could be someone that person is really close with or trusts.
Good thing the message isn't personalized and not talking to you like a friend or someone you know cause if so it would be much worse and fooling many, many more. Imagine me and you have been friends for a long time. Imagine if you got something like this from me "Hey bro I just won so and so item and it's giving me a promo code to give out to one more person to win also".. and then the scam bs. You wouldn't see that coming.
Comment has been collapsed.
I did get once message on Skype that was sent by hacked accounts, and I asked back why they send me something like that. As it's not related to either our previous talks or shared interests. No response, so it was obvious it's a scam. I contacted them about it via other way and they recovered account, changed password.
I have super small friend list, but I wouldn't either way trust anyone who sends me random message about CS:GO raffle or easy way to grab knifes. At least as long as they wouldn't send me messages like that earlier.
Comment has been collapsed.
Simple first rule for IT security - if anyone you know sends you an attachment or link or recommendation then don't click it or open it until you have asked them to verify they sent it and what it is. Malware bots don't understand your question, and friends don't think less of you for asking.
I taught my old mother this when she first got the internet in the late 90s, If more people followed it these days we'd have less of these problems.
Comment has been collapsed.
That's definitely a very helpful rule.
For this case with Mwhym and the others it was a live person and not a bot. When Mwhym's account was taken I talked to the person that was on it. I was suspicious right away and they defended themselves saying that the account wasn't compromised. About a minute later they blocked me.
Comment has been collapsed.
I have done some work in IT security and studied the field pretty deeply, and I have made mistakes.
The scammers get an infinite amount of tries to fool you, and you get an infinite amount of times to make a mistake. A single mistake in an infinite amount of tries is statistically guaranteed to happen.
What helped me a lot of the way is the basic rule to never enter login details into any site before you've had your morning coffee/tea/cocaine/whatever gets you up. If I get a prompt to login in the morning I just step back and move the task down my todo list so I get to it later in the day when I'm more likely to be awake enough to double and triple check everything.
Comment has been collapsed.
Lets make a lot of fake accounts. Lets set dicks as avatars in all those. Lets use them to log in to those shitty sites...
Also I'm bit curious what happens when one stealing site is stealing accounts from other stealing sites.
Ok, I'm out of stupid ideas. You can keep going.
Comment has been collapsed.
Quoting Ratha's excellent advice:
There are only two places you ever enter your login info into on Steam:
1: Directly from the Store page.
2: Directly from the Community page.
For everywhere else you use the green 'Signin with Steam' button, and if it ever prompts you for a username, password, email, or authenticator, you close the site immediately because its trying to steal your information.
Comment has been collapsed.
And here is where it helps being a very untrusting person. I NEVER link my accounts with ANYONE that I don't research first. HB, Indigala, GoG and here are the only ones I linked it to.
Comment has been collapsed.
I received a spammy message from mwhym as well (like "you won a crappy something from counterstrike, go redeem it on http://veryfishycslink.com").
I hope those affected recover their accounts soon :/
Comment has been collapsed.
No, just ones that have SG accounts with which they could potentially create links in their giveaways.
Comment has been collapsed.
thanks a lot for the thread, I still hadn't received these spreading messages but it's always important to make everyone aware when things like these are spreading through Steam chats and so on.. hope the best of luck to all those who got their accounts compromised!!
Comment has been collapsed.
hate scumbag scammers, get these type of messages 10 - 15 times a day, so annoying,, lucky for me I've never felt the need to click any of them.. even after a trade I don't bother clicking on the steamgifts link someone provides, instead I directly look up their steam account via steamgifts to give them rep..
Shame that no job having cheap peasants steal from other people..
Comment has been collapsed.
How can you fell for a fishing/scam link when it comes to steam?
Seriously tho, it should be known by now and is nothing new.
Add your Phone and use Steam Guard......
Comment has been collapsed.
But, if you got Steam Guard, even if tries to log in or whatnot it cant go beyond if it needs the login authentication? I even believe if you got no Steam Guard you still need the email with the code.. how do they manage to bypass that?
Comment has been collapsed.
I use KeePass, open source, has my passwords and has an autotype function
Comment has been collapsed.
Yeah I read that but I still dont get how, each time you log you get another code, assuming you are giving your account details to the phishing site, each code is differnet (between the one you give them and the one they should use
only way I can somehow see it working is, if you put your details and manually go to the app to see your Steam guard code and put it in, since it isnt Steam, it wont trigger the notifications
Thats why I have my Steam community and store always logged in, if the site asks for my info it would be weird since Im logged and I only need to authorize
Comment has been collapsed.
People, quit login into random websites just to get a free shovelware key.
Comment has been collapsed.
As good a name as any for "people" that are behind these scams, wouldn't you say?
Comment has been collapsed.
31 Comments - Last post 3 minutes ago by NoctuaVentus
20 Comments - Last post 20 minutes ago by OneManArmyStar
1,952 Comments - Last post 1 hour ago by Ashtart
167 Comments - Last post 2 hours ago by MeguminShiro
725 Comments - Last post 3 hours ago by leecee
148 Comments - Last post 4 hours ago by jiggakills
13 Comments - Last post 5 hours ago by yush88
257 Comments - Last post 2 minutes ago by MrPantera
6,950 Comments - Last post 3 minutes ago by stabilo102
2,097 Comments - Last post 6 minutes ago by Pebbletool
38 Comments - Last post 13 minutes ago by hbarkas
124 Comments - Last post 19 minutes ago by Vampus
9,463 Comments - Last post 26 minutes ago by fenrir3778
28,465 Comments - Last post 33 minutes ago by LegolasGreenleaf01
Just a heads up for everyone, it looks like nabu ツ https://steamcommunity.com/id/kelma85 has had his Steam account compromised by the same nasty virus that hit two other friends/members yesterday. I, and mwhym, have already reported his account, but if you could do it as well, it may make Steam Support aware of it more quickly.
I really wish that whoever is behind all this would be given a jail sentence.
Comment has been collapsed.