Steam Security Info

Securing your Steam account

Daily phishing example #18

by | Jun 21, 2022 | Phish, Steam, Tournament | 0 comments

It all starts like this, you get a profile comment from someone you haven’t played with, even if you haven’t played that game for several weeks. This account also sends you a friend request at the same time as you get that profile comment.

Profile comment

After a few days of this comment (22 days in my case), you will get invited to a CS:GO, DOTA 2, or other game team. To sign up for that team you have to register on a website which at first glance mimics using Steam OpenID authentication.

[01:07]
Miles#M9emerald.0001:
HEY MAN^^ caps* how are you man?^^

[01:08]
Slay___:
I am okay, how about you?

[01:09]
Miles#M9emerald.0001:
ogh nice
i’m a bit sad..
but well..
it’s ok
thanks
whats your csgo rank?

[01:09]
Slay___:
MGE

[01:09]
Miles#M9emerald.0001:
lol?
srsly?!
but you was higher i guess o_O?!
bcs you really played better then your rank lol

[01:10]
Slay___:
Yes, I have been higher rank previously.

[01:11]
Miles#M9emerald.0001:
which was your max rank?

[01:11]
Slay___:
LEM

[01:11]
Miles#M9emerald.0001:
damn i guess you’re very good lem
but me as 3.5k elo on faceit..can tell you,if you will focus..you can show very good performance

[01:12]
Slay___:
Uhh.. I guess.

[01:12]
Miles#M9emerald.0001:
tbh do you play solo?
or with friends?

[01:12]
Slay___:
Mostly with friends.

[01:12]
Miles#M9emerald.0001:
hmm strange how you downgraded
i mean to progress you need good party at least
but
do you play for fun?

[01:13]
Slay___:
Mostly for fun.

[01:13]
Miles#M9emerald.0001:
guessed that 😀
so..
then ill get the point bcs honestly dont have that much time and i dont wanna lose yours too..://
i guess you will not be interested to help me..but at least ill ask
my team is missing one guy in a csgo tourney with a 500 £ prize pool for worldwide players…so I was wondering if you can help us with joining my crew :3

[01:14]
Slay___:
Sure, I can help.

[01:14]
Miles#M9emerald.0001:
oh rly?^^_^

[01:15]
Slay___:
Yes.

[01:15]
Miles#M9emerald.0001:
omfg u was my last friend from my list who could help me
when you can play a match?
bcs
it depends when we are ready
bcs we are already in semifinals
and enemy team wait us
i mean manger offered me time to find fifth player till tmr
tbh
do you have discord?
i mean may be we talk about that through voice?

[01:15]
Slay___:
I do have a Discord but I am mute so I cannot speak.

[01:16]
Miles#M9emerald.0001:
but when you’ll be able to talk?
or when you’ll be able to play the match
i mean i dont think it’s a good idea to play without mic

[01:16]
Slay___:
I can never talk but I can join whenever.

[01:16]
Miles#M9emerald.0001:
why you cant talk?

[01:16]
Slay___:
I am mute, I cannot talk.

[01:17]
Miles#M9emerald.0001:
you mean you’re mute irl?

[01:17]
Slay___:
Yes.

[01:18]
Miles#M9emerald.0001:
so
when you can play a match?

[01:18]
Slay___:
Whenever you need.

[01:18]
Miles#M9emerald.0001:
so if we start a match in 15-20 mins
will be good for you?

[01:18]
Slay___:
Yes.

[01:19]
Miles#M9emerald.0001:
hold on
lemme ask manager
do you have some team experience b4 that?

[01:20]
Slay___:
Not a professional team, just community and friends.

[01:20]
Miles#M9emerald.0001:
ok
but do you know something about in game rolesE?
roles*
i mean lurker awp

[01:21]
Slay___:
I don’t know, possibly?

[01:21]
Miles#M9emerald.0001:
i mean what role you feel more comfortable
you like to play agressive or deffensive?

[01:21]
Slay___:
Aggressive

[01:22]
Miles#M9emerald.0001:
/giphy smirk

https://giphy.com/gifs/vogue-cardi-b-73-questions-J6Vj47PG1hsAkyOVFh

you like to be agressive :D
ok
enemy team will be ready in 15 mins
thats what said me manager
but firstly he wanna see you in my line up
so i'll give ypu team's page
you'll register and send request to join in team
ok?

[01:22]
Slay___:
Okay

[01:23]
Miles#M9emerald.0001:
https://rival-main.com/#giantstm
there you go
it’s direct team’s page
register
and you’ll see our team
and button JOIN
lemme show you
if you need help you can ask me and i’ll help you
or we can do this through voice
have you found?

[01:26]
Slay___:
I have found the website, looking into WHOIS data so I know where to direct my abuse reports. Pretty sure your hosting company does not allow phishing websites on their ToS.

[01:26]
Miles#M9emerald.0001:
ehm bro..if you’re afraid of some kind of scam…
you have mobile guard
so you’re in safe
but you can register
and after that change pw
i dont rly care

[01:27]
Slay___:
Yes, your website has JavaScript to grab my login data with Steam Guard code and your bot automatically signs in on your machine with my login data. I know how it all works. I am not giving you my login data, sorry.

[01:27]
Miles#M9emerald.0001:
okay
i’ll login to your account
but for what
to change pw
mobile confirmation
to trade skins
mobile confirmation
to selll on market
again mobile
confirmation…

[01:28]
Slay___:
You set an API key for taking my skins, I know.

[01:28]
Miles#M9emerald.0001:
i told you
you can change pw after that!!!

[01:28]
Slay___:
But that still leaves the API key to my account, unless I delete that as well. And for what? There is no tournament, only scam.

[01:29]
Miles#M9emerald.0001:
ok
you can remove the api
change pw
remove the api
and change pw once again
lmao 😀

[01:29]
Slay___:
Yeah good luck with that. I am not falling for your scam.

The phishing element on the website

On the website you are instructed to login with Steam. The login element is a faked pop-up window that mimics Steam openID login, and shows trustworthy looking URL bar.

However that whole window is fake and the URL doesn’t actually open any website and shouldn’t be trusted. To tell that it’s a fake is that you cannot drag that pop-up outside of your browser because it is part of the website itself and not a browser window. Also when clicking the green lock icon it doesn’t open anything, on a real browser or browser tab it opens information about the certification which proves who that website owner really is and if it is really secure.

On a real website clicking that lock icon should look like this on Chromium based browsers such as Chrome.

Certificate example

Numbered steps of clicking the lock icon. Note how clicking the lock should give more information about the certificate and how the real website shows “Valve Corp [US]” and also the Issued to address.

How to avoid this phish?

Always check that the address starts with https://steamcommunity.com and just to be safe you can type that yourself to avoid look a likes with different symbols that may look like the real letter but aren’t, for example i is not ı and so on.

Another simple trick is to login at https://steamcommunity.com first, then if you are feeling brave enough open possible suspicious link(s) and see if you are logged in or not. If you are automatically logged to Steam then it’s very likely the real Steam openID portal.

The real page will know your display name, username and Steam wallet balance as long as you are logged in already before hand.

Submit a Comment