It all starts like this, you get a profile comment from someone you haven’t played with, even if you haven’t played that game for several weeks.

If you add the Steam account the profile comment you got is linking to, you will get invited to a CS:GO, DOTA 2, or other game team. To sign up for that team you have to register on a website which at first glance mimics using Steam OpenID authentication.

But on closer look you will notice that you are still on the phishing website and not redirected to Steam for authentication, which means your username and password or whatever you type into the login field will be sent to the website you were at instead of Steam. And if you are using Steam Guard two factor authentication the website will also ask for that if the username and password match a live Steam account.

If the web page would be the real Steam openID portal it would show https://steamcommunity.com in the very beginning of the URL.

How to avoid this phish?

Always check that the address starts with https://steamcommunity.com and just to be safe you can type that yourself to avoid look a likes with different symbols that may look like the real letter but aren’t, for example i is not ı and so on.

Another simple trick is to login at https://steamcommunity.com first, then if you are feeling brave enough open possible suspicious link(s) and see if you are logged in or not. If you are automatically logged to Steam then it’s very likely the real Steam openID portal.

Archived source pages:

• https://archive.is/bcoGY
• https://archive.is/zVxTg
• https://archive.is/j7nr8