TLDR – What To Do
- Never sign in using Steam anywhere unless it’s a well known site that you navigated to yourself, preferably by manually typing the URL into your browser and saving that URL as a bookmark for later, NEVER sign in on links others sent you, even your significant other whom you would trust with your life because their account could be hijacked or they don’t know they’re sharing a malicious link
- Optionally send the link to an internationally approved computer expert you trust (me?)
- When you confirm trades in the app, always double check both trade contents AND the person you’re trading with (level, friend date) because hackers can automatically replace outgoing and incoming trade offers to go to a different account with the same name and pfp as your original trade partner
When It’s Too Late
- Warn your friends not to click on any link that might be sent on your behalf, check active chats for messages you didn’t send, send/tell them this
- Change your password (if you use your Steam password elsewhere, change those as well, you should be using unique passwords and a secure open source password manager like KeePassXC)
- Log out all sessions in the Steam desktop client by clicking on your name in the top right corner next to notifications and navigating to account details -> account security - manage Steam guard -> deauthorize all other devices
- Open steamcommunity.com/dev/apikey in your browser (if you don’t trust my link, which you shouldn’t, simply find out if steamcommunity dot com is the real domain for Steam (if you don’t know that already) and then manually type the complete link into your browser), revoke any API key there is if you haven’t created them or don’t know what they are, if you did make them replace them
- Optionally report the link at safebrowsing.google.com/safebrowsing/report_phish/?hl=en to make all common web browsers display a warning before loading the malicious site
(Source + further info: forums.steamrep.com/pages/hijacking/)
When a Friend Sends You a Malicious Link or Acts Suspiciously
- Try to contact them somewhere outside of Steam and send/tell them this to save their account and to prevent the hijack from spreading further through their friends list
- Warn their friends
The interwebs are full of malicious links/downloads, even/especially search engine results. To make sure you get the proper installer for programmes/the proper link to log into/purchase something, ALWAYS use the Wikipedia Technique™:
- Open wikipedia.org
- Search for the programme/site/shop/whatever
- Look for the website link either on the right in the summary box or by navigating to the external links section at the bottom
Typing URLs by Hand
Typing URLs by hand is a good and important tip, but only when you already know the domain is genuine and safe. This method only protects from malicious URLs that are supposed to look like one you already trust, for example someone sending you a link to steancomnumnitny.com/login instead of steamcommunity.com/login. You know steamcommunity.com is genuine and safe, so you might not pay close enough attention and just click on it, but it’s actually a completely different domain controlled by the scammer. Or even a Punycode attack like https://www.аррӏе.com/ where the domain looks perfectly real (depending on the font) but it’s actually using different letters that look like the regular ones, similarly to how an upper-case i and lower-case L usually look the same. Typing by hand does not protect from any other malicious URL, if someone sends you scam.com and you type it in by hand, it’s still a malicious site that will do whatever bad thing it does. If you don’t know whether phal.io, gamejolt.com or tf2officialtournaments.tf is trustworthy, typing it by hand doesn’t change anything. For sites from (supposedly) known and trustworthy people/companies/etc, the Wikipedia Technique™ helps. For my site, nothing helps. I regret to inform you that I am indeed an interwebs criminal. But it’s too late for you now. I’ve already gotten access to your smart shoes and I’ll make them play a silly noise whenever you take a step while they mine Pokécoins for me and DDoS TF2 servers. And by nothing helps, I mean knowledge, uMatrix or uBlock Origin and optionally Privacy Badger help.
The https:// (as opposed to http:// without s) in and the padlock to the left of the address bar are always important to look at. They indicate that the data sent between the website and your device is encrypted. This is a must if you enter any sensible data on a website, otherwise anyone could intercept it. However, if you don’t send anything to the website and only view the site, encryption is not that critical. Like the FamiTracker Wiki which unfortunately doesn’t have HTTPS, but you just use it to look up FamiTracker stuff, so the worst thing that could happen is that someone knows what effects you use or what effect’s effects you still don’t have memorised and have to look up yet again.
TLDR: There is only one (very important) thing you can certainly tell from the padlock/HTTPS: If it’s missing, others could intercept the traffic between you and the website, so never enter anything on it in that case, only view the site. All big sites use HTTPS, so if you’re on a big site and there’s no padlock, you’re most likely on a lazy fake site. An existing padlock has nothing to do with the site being harmless.
HTTPS:// and padlock present do mean that the traffic between you and the website is encrypted, nobody can intercept the data transfer. If you enter sensible data like your home address or a password, only the website owner will be able to access it. Even if the website owner is malicious. So only ever enter sensible data on HTTPS sites. Even if the site is trustworthy.
HTTPS:// and padlock present don’t mean that the website owner is trustworthy or in any way genuine (as in they are who you think they are, for example Volvo). Anyone can encrypt their server traffic fortunately because encryption is important, even this site uses HTTPS. There is nothing to it. Other than learning once how to set it up. But it might not even mean that the traffic is encrypted, for example if the interwebs criminals create a fake padlock and a fake address bar in a fake window that is actually just part of the website as shown here. The padlock may also tell you what company owns the site, but fake padlocks may also make this useless.
HTTPS:// and padlock missing don’t mean that the website is malicious. It can be, but no HTTPS doesn’t have anything to do with it. Unless of course it’s a known site that’s known to use HTTPS, then it’s an indicator that something is indeed wrong.
HTTPS:// and padlock missing do mean that the website owner hasn’t set up encryption, either because they don’t know how to, they don’t deem it necessary, they are lazy, or, if you can enter sensible data, they are, what is generally known as, in a manner of speaking, an eediot. Or I am. Or they temporarily have technical issues.
I will now describe and show how a friend of mine had their account hijacked. I’ll also keep adding other forms of scam attempts to this site as I come across them so you can look at examples and be prepared for when it happens to you.
Method 1 – Can You Vote for My Team?
It was the night before my first vaccination. I was still doing something on my PC, I don’t remember what, even though it was past bedtime, when I got a message from a Steam friend. I’ll call them Ingeborg. My brother, Ingeborg and I had met a month earlier on a TF2 rocket jump server and we added each other. We played together a couple more times but beside that I didn’t know Ingeborg that well. You can see the chat from that day in the images below.
The first cropped message from Ingeborg at the top is “hey u free rn?” or something. I assumed they just wanted to ask about playing a game of TF2 with me, as it has happened before. When they dropped the question about voting for their team and getting keys in return, I didn’t know what to make of it. I didn’t know of any competitive team they were in and I also didn’t know Ingeborg well or that alleged tournament at all. It also didn’t seem like they could just throw expensive keys around. I took some time to process the information and to think about what I should reply, but Ingeborg didn’t leave me much time to think, following up with “?” and “u here”. So I asked, feeling stupid for not knowing what they’re talking about.
Then, they also set a time limit of less than 30 minutes and kept asking why I’m not immediately replying or “voting”. I have to admit, I nearly fell for it. I want to help people and I can’t think clearly under pressure, especially when it involves other people. And, for the Permanent Record, I of course wouldn’t have taken anything in return for helping a friend. I wanted to tell them that but they didn’t even give me the time to type that. I had already put my name and password in the form, after a lot of thinking, but something prevented me from pressing enter, it just didn’t feel right. I had even briefly searched the web for that tournament and didn’t really find anything. But what finally made me realise that there is something wrong and what made me think clearly again was the border and title bar of that alleged pop-up window. (Edit: Thanks for 1 likes. I compared genuinely signing in through Steam on scrap.tf and it did not open a pop-up window, it simply completely sent me to steamcommunity.com. I guess that means pop-up Steam sign ins are always fake.) I already tried clicking on the HTTPS information earlier which didn’t work for some reason but which still didn’t make me 100 % realise that this is a fake site. Until I noticed that the title bar is a Windows 10 default light theme title bar. I’m on Linux and I use dark themes, the title bar should look completely different. I tried moving the window around and it moved choppily and I could only move it within the Firefox window. I checked the source code and it was true: It was merely an iframe within the site that contained a fake Steam login form from a different URL that’s not steamcommunity.com. This is the site in the iframe:
As you can see, it’s the Steam login form, but the address at the top is not a Steam address. I took a look at its source code and found that it was a lot longer than the original and also contained a lot of dialogue lines about removing the Steam mobile authenticator. This apparently didn’t come up when actually putting in password and username, but you should look out for fake sites telling you to remove your authenticator, they could get complete access to your account that way.
I confronted Ingeborg with this and they stopped replying. But they didn’t immediately remove me from their friends list, like that one time I was actually scammed. I wasn’t sure what to do now. Was Ingeborg really a scammer? Was everything we did together so far just to gain my trust to scam me? Like that one time I was actually scammed? The funny thing is that out conversation before this was about scammers. Some usual random scammer put a usual comment on my profile and Ingeborg warned me. But I believe in the good in everyone and I didn’t want to just assume they were a scammer without making absolutely sure. I thought about what else I knew about Ingeborg. They gifted my brother some items because he barely has any. They invited me to their Steam group. They subscribed to me on YouTube and put my channel on their home tab. Coincidentally, earlier that same day, I also took some time to take a look at their YouTube channel and subscribed. So I thought that me subscribing to them was the sign they were waiting for, signalling that I trusted them enough to fall for the scam. I checked their channel and I was still on their home tab and subscriptions. I checked their Steam group and was still a member. This convinced me that there really is a possibility that this wasn’t actually Ingeborg trying to scam be but that they’ve also been phished and someone else is now trying to also gain access to their friends’s’s accounts.
Ingeborg’s friends list and profile comments were now set to private, so I couldn’t comment or directly message their friends to warn them. But there was the Steam group. One other member was online, one with a Pokémon profile picture and I believe I also remembered noticing them on Ingeborg’s friends list because of the Pokémon theme. So I put a comment in the group and added the Pokémon person, who unfortunately had their comments disabled as well, so I put an explanatory message into my profile to let them know why I’m adding them. I warned them and asked them to tell Ingeborg that someone has access to their account, should they know Ingeborg better than me. On YouTube, Ingeborg had their Discord name listed. I tried to add them but friend requests were disabled. There was also an Instagram name. I technically don’t have Instagram but I made a test account a while ago to test a YouTube scam comment with a link to an alleged Instagram password hacking site. I logged in with that account, changed my profile picture to my real one, added an explanation to the bio and added Ingeborg. But they didn’t react. So I wrote a comment on a YouTube video. I think it took three attempts for the comment to pass the automatic spam filter. It could of course also have been Ingeborg deleting my comments exposing them for being a scammer. But the third castle stayed up. And a while later, they actually responded. I then tried to tell them to add me on Discord, that also took many attempts and extremely careful wording to get through. Not even my Discord tag with numbers spelled out and 1447 speak, as Jeremy 900 800 500 would say, went through, but a carefully camouflaged link to my website did. By then, they also messaged me on Steam, asking for help and asking me to temporarily take their valuable items to secure them. I told them to add me on Discord so I know it’s actually them I’m chatting with. As it turned out later, it was really good that they didn’t trade me their stuff.
Apparently, Ingeborg wasn’t home at the time and only had access to their phone. And they allegedly fell for the exact same scam a day before. The obvious first thing that had to be done was changing the Steam password. But it seems that the password can’t be changed in the app itself. So I had the idea that Ingeborg could log into Steam on their phone’s web browser and change the password there, which worked. We kept chatting and I kept researching. I still wasn’t sure if this was still part of Ingeborg’s ingenious plan to regain my trust to scam me again, but I believed in them. Eventually Ingeborg got home, and I stayed awake gladly until 3:47 in the morning, I… I sang as time went off. Because as long as menly men like me are prepared to give their time, a flower grows. And that flower, that small, fragile, delicate yellow flower, shall burst forth and defeat interwebs criminals. On the “next” day, the vaccine had a side effect of making me a little tired. Strangely enough, that side effect already started before the injection itself.
I also kept thinking about what the actual purpose of this series of hijacking accounts is. Ingeborg’s Steam wallet and inventory seemed to have been untouched but there must be some way for the criminals to profit off of this, if only to pay for the costs of the website and domain. On Vaccinator day, I finally found an article on https://forums.steamrep.com/pages/hijacking/ that explains it. When you give them your password and current authenticator code, they obviously get access to your account, but you still have the authenticator, so what they can do is limited. Apparently, they use the opportunity to create an API key that allows them to keep accessing your account even after you changed your password and they use it to immediately replace incoming and outgoing trade offers with ones that go to a fake version of your original trade partner with the same name and profile picture. You might then not notice the difference when confirming the trade in the app and give them your items, unknowingly and without them having to have access to or remove your mobile authenticator. A brilliant idea. You might as well check if you have any API keys which you usually shouldn’t, the details are explained on the steamrep link and in the “when it’s too late” section at the top of this piece of medium literature.
And the moral of this story: Always be careful, educate yourself on how they trick you and on digital security in the sense of safety, never assume you won’t fall for it, don’t shame people who fell for it and don’t feel ashamed if you fell for it. And always have an internationally approved technical support character on your team.
Method 2 – Simply Building Trust AKA Social Engineer
We write the distant year of 2016. Two… œ… six… one. Oh, I’m an idiot, I held the pen upside down. Never mind. I don’t recall the incident in as many details, but I still know the most important things. It started on a TF2 tdm_hightower community server, rocket jumping and Market Gardenering around. I don’t remember exactly how one of the other players started conversing with me, I just remember that they, I’ll call them Wincohn, added me, chatted with me and wanted to trade one of my items that was not yet tradable. We chatted over the course of multiple days. Eventually, we also chatted about bad things that happened in our pasts, like the divorce of my parents and how their dad allegedly died when they were young. And we comforted each other. They also asked me if I was religious at some point, I guess because religious people are easier to scam. When I took a look at their inventory, I saw TF2 competitive matchmaking beta passes. I don’t remember exactly how that worked, but I was excited about matchmaking and you could only get in if you have the beta pass item, but having it also gives you some invites to give to other people. So I offered to take a beta invite in exchange for the item they wanted. My item, a festive Rocket Launcher was still not tradable though, so they offered me to temporarily give them something else and they would immediately give me a beta invite. Since the beta invite is not an item, I had to trust them they would actually invite me in return. We were on the aforementioned community server again and they agreed to make our trade public to the server members so they could witness it and report one of us, should we not keep our side of the bargain. So we opened a trade and I gave them one cosmetic drop I didn’t need, one cosmetic I used and two non-strange festive weapons so I don’t lose my stats, which were apparently in total about equal in value to the Rocket Launcher. Right before the trade went through, they left the server, which I only noticed when the trade window closed. And they removed me from their friends list. No beta invite. I told the others on the server that we traded but he left before it went through and he scammed me but nobody cared. The chat where we agreed that I would get a beta invite was also gone. I lost my items and I didn’t even have proof that it was a scam and not just a gift or tax dodge. Steam rightfully doesn’t return scammed items, because the scammers of course immediately sell them and taking them away from the buyer would be unfair for them and giving the victim a duplicate would be easily exploitable, but getting them banned would at least prevent further scams. The worst part, though, is that everything they told me was a lie and only served the purpose of gaining my trust. Fascinating.
After it happened, I was of course sad and angry. But only temporarily. I don’t hold a grudge against them, I’ve long since forgiven them. Quite on the contrary, I’m even thankful because I didn’t lose that much virtual material value (like 3 $) and it was a valuable experience. I only hope that they have changed since then and don’t do this anymore. The comments on their profile are disabled to this day, not the best sign. They also don’t have a Steam or third party ban. Either them scamming was not a common occurrence or nobody was ever able to prove it.
Method 3 – Wanna Join Our Tournament Team? (Incomplete)
I got another one of those friend requests on Steam from a suspicious looking profile. One of those that have TF2 comp stuff in their profile description. This time, I accepted it to see what they would do, to document more methods used by interwebs criminals.
This account had 1200 hours of TF2 playtime. So it looked like they’re an actual player, or maybe a hijacked account. Their inventory was public as well, but nearly empty, not even regular weapons or anything. They were playing TF2 the entire time and when I checked the server they were on, it always said no server. I guess that means they just have TF2 open the entire time to farm playtime that is publicly and prominently displayed on their profile to appear like a real player.
I tried to go along with their chat but it didn’t go well. I even prepared my long unused Gibus Cap Discord account that I used to use to test roles on our server. But apparently, I asked too many questions. I was too eager to get a nice phishing link into my net. After that last message, they removed me from their friends. Next time, I won’t ask questions.