The number of phishing websites and bots has drastically increased in the couple of years. Some of the attacks are aimed at intercepting and collecting users’ ID and authentication data to then gain acces to their funds and other assets, like your virtual in-game items on Steam.
Some of the notorious social engineering tricks seem not to be effective to experienced users, since Valve introduced the Steam Guard as its cybersecurity weapon.
But unfortunately, many of the cybercriminals invent new ways to deceive gamers for example with the Web API Key scam. It also holds true for other digital marketplaces, where a personal API key is used to confirm transactions with virtual items.
How does a typical scam work?
- Scammers target their potential victims by leveraging public Google ad tools like keyword research and analysis to collect information on popular marketplaces and websites that are visited by gamers.
- When the search result of a regular gamer is measured, the scammers make use of direct ad means like Google AdWords to ensure top ranking for their counterfeit phishing websites. The phishing website’s address nearly always looks identical to the authentic and legit one.
- A misguided user clicks the top ranked link on the search results page, which is a fake one, and leads him to the phishing website.
- Many of the fake sites usually imitate the original design of the trusted website, asking the deceived users to authenticate and leave data like a login and password. That’s where the scammers jump in to steal accounts.
- When the account data is retrieved, scammers get full control over the trapped Steam account and receive Web API Keys to monitor further transactions.
- Once a user decides to purchase or sell his virtual items on Steam or another marketplace, the scam comes into action.
- When a legitimate trade offer is sent by a bot on Steam to the user, a scam bot immediately cancels the real trade and initiates his own fake offer, sending it to the user’s mobile phone or email address.
- Since the real and fake trade offer on Steam looks quite identical, the victim confirms the trade with the mobile phone authentication app or with his email address. From now on, all the items are gone forever and the user will never be able to get his items back.
- If the victim checks his trade history on Steam, he may notice that there are two trade offers, where the real one got rejected.
4 steps to avoid scam threats
There are several things you can do to protect your Steam account and inventory getting stolen and scammed.
1. Authentication only through Steam and legit websites.
To minimize the chances of getting scammed on phishing websites, you have to log into your Steam account on Steam or on marketplaces, which you are confident about and sure that they’re legit.
2. Steam password change
It’s a great way to terminate your current session on Steam and block scam bots from getting access to your account. There are two ways that you can alter your Steam account login credentials. The first one is by clicking the “Forgot password” or “Change my password” options. The first mentioned is more preferable as it allows you to continue trading on the Steam platform without any trade ban period.
3. Revoke Steam Web API Keys. If your account has gotten scammed, your API key is obviously in the scammers database. You need to visit your user’s page on Steam, remove your API key, and let Steam generate a brand new instead. It’s good to regularly change you Steam Web API Key to ensure your account is 100% safe and not exploited by any types of scammers. Here you can re-generate your API key: undefined
If your account has gotten scammed, your API key is obviously in the scammers database. You need to visit your user’s page on Steam, remove your API key, and let Steam generate a brand new instead. It’s good to regularly change you Steam Web API Key to ensure your account is 100% safe and not exploited by any types of scammers. Here you can re-generate your API key: undefined
4. Check sent trade offers. Visit you Steam user page and go to this page every time you have offers to be confirmed via your email or mobile phone. undefined
Visit you Steam user page and go to this page every time you have offers to be confirmed via your email or mobile phone. undefined
The security of your Steam account and inventory is primarily your own duty. Follow the instructions and enjoy trading.